Ask Us logo
[an error occurred while processing this directive]

IBM PC and Compatibles Virus Alerts


Download anti-virus software here.

Download the latest SDAT/DAT
Archived PC Alerts1999-2002

W32/MyWife.d@MM!M24
(aka Blackworm)
Jan. 26, 2006

Platform: Windows 95/98/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4682 (released 1/25/2006)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_138027.htm
http://www.sophos.com/virusinfo/analyses/w32nyxemd.html (Sophos)
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html (Symantec)
http://isc.sans.org/blackworm (SANS ISC)
Symantec Blackmal removal tool

Be on the alert for a new worm being called Blackworm, that spreads via email attachments or file shares. The email claims to contain obscene pictures and sex movies. The threat is rated low by McAfee but has been receiving some press lately.

It has a data destroying payload set to trigger on February 3rd (and the 3rd of any month). Blackworm destroys DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP files by replacing their contents with the string:
DATA Error [47 0F 94 93 F4 K5]
Blackworm is also called W32/MyWife.d@MM!M24 (McAfee), W32/Nyxem-D (Sophos) and W32.Blackmal.e@mm (Symantec). It has been assigned CME-24. See http://cme.mitre.org/ for other aliases for Blackworm.

Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

The worm also:
  • Turns off anti-virus applications
  • Sends itself to email addresses found on the infected computer
  • Deletes files off the computer
  • Forges the sender's email address
  • Uses its own emailing engine
  • Downloads code from the internet
  • Reduces system security
  • Installs itself in the Registry
WHAT TO DO

McAfee released DAT files to detect this threat. It is very important to keep your anti-virus DAT files current, as updates/enhancements are released daily. You will need McAfee DAT 4682 (released 1/25/06) or later to detect W32/Mywife.d@MM!M24.

It is advised that you update your DAT files to the current version, scan all files on your local hard drives, and ensure that your fileshares have strong passwords. Disable filesharing, if not needed.

EMAIL COMPONENT

The worm arrives via email with a spoofed FROM address and a PIF or a MIME-encoded attachment.

SUBJECT: includes one of the following or may be blank
  • Photos
  • My photos
  • School girl fantasies gone bad
  • Part 1 of 6 Video clipe
  • *Hot Movie*
  • Re:
  • Fw: Picturs
  • Fw: Funny :)
  • Fwd: Photo
  • Fwd: image.jpg
  • Fw: Sexy
  • Fw:
  • Fwd: Crazy illegal Sex!
  • Fw: Real show
  • Fw: SeX.mpg
  • Fw: DSC-00465.jpg
  • Re: Sex Video
  • Word file
  • the file
  • eBook.pdf
  • Miss Lebanon 2006
  • A Great Video
  • give me a kiss
BODY: (varies, such as)
  • Note: forwarded message attached.
  • You Must View This Videoclip!
  • >> forwarded message
  • i just any one see my photos.
  • forwarded message attached.
  • Please see the file.
  • ----- forwarded message -----
  • The Best Videoclip Ever
  • Hot XXX Yahoo Groups
  • F***in Kama Sutra pics
  • ready to be F***ED ;)
  • VIDEOS! FREE! (US$ 0,00)
  • It's Free :)
  • hello,
  • i send the file.
  • bye
  • hi
  • i send the details
  • i attached the details.
  • how are you?
  • What?
  • Thank you
  • i send the details.
  • OK ?
ATTACHMENT: may either be an executable itself or a MIME-encoded file which contains the executable.

The executable filename is one of the following:
  • 04.pif
  • 007.pif
  • School.pif
  • photo.pif
  • DSC-00465.Pif
  • Arab sex DSC-00465.jpg
  • image04.pif
  • 677.pif
  • DSC-00465.pIf
  • New_Document_file.pif
  • eBook.PIF
  • document.pif
The MIME-encoded filename is one of the following:
  • SeX.mim
  • Sex.mim
  • WinZip.BHX
  • 3.92315089702606E02.UUE
  • Attachments[001].B64
  • eBook.Uu
  • Word_Document.hqx
  • Word_Document.uu
  • Attachments00.HQX
  • Attachments001.BHX
  • Video_part.mim
W32/Mywife.d copies itself with some of the following filenames:
  • < Windows>\Rundll16.exe
  • < System>\scanregw.exe
  • < System>\Winzip.exe
  • < System>\Update.exe
  • < System>\WinZip_Tmp.exe
  • < System>\New WinZip File.exe
  • movies.exe
  • Zipped Files.exe
NETWORK SHARE COMPONENT

The worm will attempt to copy itself to the following shares, using the current user's authentication:
  • C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
  • Admin$\winzip_tmp.exe
  • C$\winzip_tmp.exe
The worm creates scheduled tasks to run winzip_tmp.exe during the 59th minute of every hour.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

 

 

W32/Sober@MM!M681
(aka W32/Sober-Z (Sophos))
November 23, 2005

Platform: Windows 95/98/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4635 (released 11/23/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_137072.htm
http://www.sophos.com/virusinfo/analyses/w32soberz.html (Sophos)
Stinger removal tool (v2.5.9, 11/22/05)

As reported yesterday, a new Sober email virus variant is circulating around the Internet with a spoofed FROM address (examples reported include hostmaster@hawaii.edu, postman@hawaii.edu, admin@yahoo.com, admin@cia.gov) and a ZIP attachment.

McAfee has raised the risk threat to MEDIUM to due increased prevalence. Please update your McAfee DAT to 4635 (released 11/23/05) to detect this threat.

The Stinger removal tool (v2.5.9, renamed stng259.exe) has been updated (11/22/05) to detect this threat. Download Stinger from http://vil.nai.com/vil/stinger/ and run it if you suspect that your computer has been infected.

The attachment is one of the following:
  • reg_pass-data.zip
  • reg_pass.zip
  • question_list.zip
  • mailtext.zip
  • mail_body.zip
  • mail.zip
  • list.zip
  • email_text.zip
Here are samples of the Sober virus email:

Subject: hi, ive a new mail address
Body:
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not
sure!

plz read and check ...
cyaaaaaaa


Subject: Registration Confirmation
or
Subject: Your Password
Body: Account and Password Information are attached!


Subject: Paris Hilton & Nicole Richie
Body:
The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!

Please use our Download manager.


Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time


Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.


Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000


Subject: Registration_Confirmation
Body:
Protected message is attached!


***** Go to: http://www.your_domain
***** Email: postman@your_domain


The virus also sends email messages in German.

When the attachment is opened, a fake error message "error in packed header" is displayed. The virus creates a directory, WinSecurity, in %Windir%, the default Windows directory (c:\windows or c:\winnt). It copies itself as the following files:
  • %Windir%\csrss.exe
  • %Windir%\WinSecurity\services.exe
  • %Windir%\WinSecurity\smss.exe
It creates MIME-encoded .ZIP files that contain a copy of the worm:
  • %Windir%\WinSecurity\socket1.ifo
  • %Windir%\WinSecurity\socket2.ifo
  • %Windir%\WinSecurity\socket3.ifo
It creates other non-malicious files in %Windir%\WinSecurity and %System%, the default System directory (c:\windows\system for Win95/98/ME, c:\Winnt\System32 for WinNT/2000, c:\Windows\System32 for WinXP).

Two registry keys are created to load the worm on startup:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_Windows" = C:\WINDOWS\WinSecurity\services.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run " Windows" = C:\WINDOWS\WinSecurity\services.exe
It gathers email addresses from files on the infected computer and attempts to terminate processes including McAfee's Stinger removal tool. See virus description for the list of processes.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

 

 

W32/Bagle.ck
(aka Troj/BagleDL-U (Sophos))
September 19, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4585 (released 9/19/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_136039.htm
http://www.sophos.com/virusinfo/analyses/trojbagledlu.html (Sophos)

A new Bagle variant was mass spammed today. It arrives via email as a .ZIP attachment with filename including the word "price" (price.zip, price2.zip, newprice.zip, 09_price.zip, etc.). Other similar Bagel variants were also mass spammed today.

This variant copies itself to the Windows system folder (c:\windows\system32, c:\winnt\system32, c:\windows\system) as WINSHOST.EXE and adds the following registry hooks:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe
  • HKEY_CURRENT_USER\Software\FirstRun (infection marker)
It drops a file wiwshost.exe in the system directory. This file gets injected into the EXPLORER process and tries to download a file osa6.gif from various sites.

It attempts to terminate processes and services and to delete registry entries related to security and antivirus programs.

It overwrites the HOSTS file with the following single line, overwriting any settings:

127.0.0.1 localhost

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

 

 

W32/IRCbot.worm!MS05-039
(aka W32.Zotob.E (Symantec), W32/Tpbot-A (Sophos))
August 16, 2005

Platform: Windows 2000
Risk Assessment: High
Minimum VirusScan DAT: 4560 (released 8/16/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135491.htm
Stinger removal tool: v2.5.6 (8/16/05)

The W32/IRCbot.worm!MS05-039 spreads via IRC (Internet Relay Chat) and via the network by exploiting Windows systems unpatched for the MS05-039 Plug and Play (PnP) vulnerability.

You must patch your Windows system or your system will get reinfected! There are many worms exploiting the MS05-039 PnP vulnerability. (See War of the Worms).

To Patch Your Windows System

Open Internet Explorer and go to http://windowsupdate.microsoft.com and install all critical updates.

If you are having problems with the windowsupdate site, download the MS05-039 patch from:
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Be sure to click on the right link for your operating system.

You may use the Stinger removal tool (dated 8/16/05) to scan your hard drive for this worm. Remember patch first, update your DAT and then scan your hard drive.

The worm can run on, but not infect, computers running Windows 95/98/ME/NT4/XP. Although these operating systems can not be infected, they can still be used to infect vulnerable computers that they connect to.

The worm is designed to contact a remote IRC server and wait for further instructions from the hacker.

When the file is run the virus copies itself in the Windows System directory as wintbp.exe. The file can be run automatically by exploiting the MS05-039 vulnerability or by a hacker directly executing the worm.

Registry keys are created to load the worm at startup:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "wintbp.exe" = wintbp.exe
The infected computer scans the network for Windows computers unpatched for the MS05-039 vulnerability on tcp port 445. When a vulnerable system is found, it uses a buffer overflow to write the worm to the computer via a TFTP upload on port 8594.

The infected computer may become unstable and reboot.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

 

 

W32/Zotob-A and W32/Zotob-B (Sophos)
(aka W32/Zotob.worm)
August 15, 2005

Platform: Windows 2000
Risk Assessment: Low
Minimum VirusScan DAT: 4558 (released 8/15/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135433.htm
http://www.sophos.com/virusinfo/analyses/w32zotoba.html (Sophos)
http://www.sophos.com/virusinfo/analyses/w32zotobb.html (Sophos)
http://www.f-secure.com/v-descs/zotob_a.shtml (F-Secure)
http://www.f-secure.com/v-descs/zotob_b.shtml (F-Secure)

The W32/Zotob-A worm exploits the MS05-039 plug and play vulnerability (KB899588); the security bulletin was issued by Microsoft on August 9, 2005. Details and patches are available at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx. A remote attacker could exploit the vulnerability and take complete control of the affected system. Windows 2000 systems are primarily at risk.

Note: All Windows systems should be updated with the latest round of Windows patches released by Microsoft on August 9, 2005. Open Internet Explorer and go to http://windowsupdate.microsoft.com. Apply all critical patches.

W32/Zotob-A spreads via the network by scanning for vulnerable unpatched systems on destination tcp port 445, exploiting buffer overflow vulnerabilities, including LSASS (MS04-011) and PnP (MS05-039). It runs continuously in the background. It provides a backdoor server allowing a remote hacker to gain access and control over the computer.

Spreading using Plug and Play service vulnerability
(From F-Secure http://www.f-secure.com/v-descs/zotob_a.shtml)

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445.

It creates 300 threads that connect to random IP addresses within the B-class (255.255.0.0) network of the infected system. First it tests connection to port 445 and if successful, it tries to exploit the vulnerability. If the attack is successful a shell (cmd.exe) is started on port 8888. Through the shell port, the worm sends a ftp script which instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk.

Here's the summary of the ports used in attack:

Port 445 - The worm scans for systems vulnerable to PnP exploit through this port

Port 33333 - FTP server port on infected systems

Port 8888 - The command shell port opened by the exploit code

The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected.
-------------------------------
When first run W32/Zotob-A copies itself to %System%\botzor.exe.

The following registry entries are created to run botzor.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
botzor.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
botzor.exe

W32/Zotob-A also sets the following registry entry

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

The worm may drop a file 2pac.txt. This is a text file that may be safely deleted.

W32/Zotob-A also appends the following to the system HOSTS file in order to prevent access to certain websites, including common security and antivirus websites.

W32/Zotob-B worm and backdoor Trojan is similar to W32/Zotob-A. When first run W32/Zotob-B copies itself to %System%\csm.exe and creates the following registry entries so as to auto-start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
csm Win Updates
csm.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
csm Win Updates
csm.exe

W32/Zotob-B sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

 

 

W32/SDbot.worm!MS05-039
August 15, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4558 (released 8/15/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135434.htm

August 15, 2005 9:15 am HST

We have received reports of several unpatched Windows systems on campus getting infected with the new variant W32/Sdbot.worm!MS05-039. This worm exploits the MS05-039 plug and play vulnerability which was announced on August 9, 2005 by Microsoft.

Please update your McAfee VirusScan DAT to 4558 as soon as possible. Use "Update Now" command.

Go to http://windowsupdate.microsoft.com using Internet Explorer and apply all critical windows patches. You must patch your system. Technical details and patch for the MS05-039 plug and play vulnerability is avaialable at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx .

This worm and the W32/Zotob worms scan the network for unpatched systems to exploit the MS05-039 plug and play vulnerability.

Method of Infection
This threat can be instructed to scan for MS05-039 exploitable systems. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.

If you suspect that your system has been infected (e.g. system shuts down and restarts by itself), please patch your Windows system, update your VirusScan DAT to 4558 and scan your hard drive. You may get a "buffer overflow protection" error message in VirusScan.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

 

 

W32/Mytob-DY (Sophos)
(aka W32/Mytob.eu@MM)
August 3, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4549 (released 8/3/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135062.htm
http://www.sophos.com/virusinfo/analyses/w32mytobdy.html

August 3, 2005 11:30 am HST

Word of caution... A new variant of W32/Mytob-DY (Sophos) or W32/Mytob.eu@MM (McAfee) may be circulating on campus with a spoofed @hawaii.edu FROM address, e.g. register@hawaii.edu and an attachment. This email may claim that there is a problem with your email account or that you have successfully changed your password.

If you receive suspicious email, do NOT open the attachment. Please DELETE the messages.

The UH mail server (mail.hawaii.edu) is currently scanning for this threat. McAfee VirusScan (DAT 4548 and higher) detects the attachment as Generic Malware.a!.zip.

W32/Mytob-DY spreads via email with a spoofed FROM: address and attachment. It turns off anti-virus applications, allows hackers to access the computer, and mass mails itself to email addresses found on the infected computer.

FROM: (spoofed)

SUBJECT: (one of the following)
  • Your Account is Suspended
  • *DETECTED* Online User Violation
  • Your Account is Suspended For Security Reasons
  • Warning Message: Your services near to be closed.
  • Important Notification
  • Members Support
  • Security measures
  • Email Account Suspension
  • Notice of account limitation
  • Your password has been updated
  • Your password has been successfully updated
  • You have successfully updated your password
  • Your new account password is approved
MESSAGE TEXT: (one of the following)

Dear user [str],
You have successfully updated the password of your [str] account.
If you did not authorize this change or if you need assistance with your account, please contact [str] customer service at: [str]
Thank you for using [str]!
The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]


Dear user [str],
It has come to our attention that your [str] User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using [str]!
The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]


Dear [str] Member,
We have temporarily suspended your email account [str].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [str] account.
Sincerely,The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]


Dear [str] Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The [str] Support Team
+++ Attachment: No Virus found
+++ [str] Antivirus - www.[str]


In the above message text [str] would be replaced with text from the user's email address.

ATTACHMENT: (one of the following base file names with file extension CMD, PIF, SCR, EXE or ZIP; the worm may create a double extension with a DOC, TXT or HTM first extension and a final extension of BAT, CMD, PIF, SCR, EXE or ZIP)
  • accepted-password
  • account-details
  • account-info
  • account-password
  • account-report
  • approved-password
  • document
  • email-details
  • email-password
  • important-details
  • new-password
  • password
  • readme
  • updated-password
Here is an example of the W32/Mytob-DY email:

Date: Wed, 03 Aug 2005 08:49:37 -0300
From: register@hawaii.edu <==== this is spoofed; not a valid UH username
To: uhusername@hawaii.edu
Subject: Your password has been successfully updated

Dear user uhusername,

You have successfully updated the password of your Hawaii account.

If you did not authorize this change or if you need assistance with your account, please contact Hawaii customer service at: register@hawaii.edu

Thank you for using Hawaii!
The Hawaii Support Team

+++ Attachment: No Virus (Clean)
+++ Hawaii Antivirus - www.hawaii.edu

Attachment: accepted-password.zip (58KB)

When run, W32/Mytob-DY copies itself to the Windows system folder as raloded.exe and sets the following registry entries in order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Msn Service
raloded.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Msn Service
raloded.exe

W32/Mytob-DY sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-DY modifies the HOSTS file changing IP-to-URL mappings for selected websites, including security websites, to point to the local machine. This prevents normal access to these websites.

If you have questions or need assistance, please contact the ITS Help Desk at (808) 956-8883, email help@hawaii.edu, or call toll free from the neighbor islands at (800) 558-2669.

 

 

W32/Mytob-AZ (Sophos)
(aka W32/Sober.aw@MM)
May 16, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4492 (released 5/16/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_133762.htm
http://www.sophos.com/virusinfo/analyses/w32mytobaz.html

May 16, 2005 5:00 pm HST

A new variant of the W32/Mytob mass-mailing worm and backdoor Trojan has been seen circulating on campus, spoofing FROM address Mail@hawaii.edu. It claims to be a problem with your email account. Please do not open suspicious email with attachments with ZIP, EXE, PIF, SCR or CMD extensions.

The UH mail server (mail.hawaii.edu) is scanning for this virus. Information is sparse at the McAfee website. The latest DAT 4492 is presumed to detect this variant (believed to be named W32/Mytob.aw@MM by McAfee). The UH repositories have been updated with DAT 4492. Please update your McAfee VirusScan DAT file as soon as possible, using the manual "Update Now" procedure (see http://www.hawaii.edu/antivirus/howtoupdate.html for instructions). Details will be posted as anti-virus vendor websites are updated.

Virus Description:(from the Sophos website)

The virus allows a remote hacker to gain access and control over the infected computer via IRC channels. It modifies the HOSTS file, changing the URL to IP mappings for selected websites, thus preventing normal access to these sites.

The virus is spread via mass emailing with the following characteristics:

FROM: (spoofed)

SUBJECT: (one of following)
  • *IMPORTANT* Please Validate Your Email Account
  • *IMPORTANT* Your Email Account Has Been Locked
  • Email Account Suspension
  • Your Email Account is Suspended For Security Reasons
  • Security Measures
  • Notice:***Your email account will be suspended***
  • Your email account access is restricted
  • Notie:***Last Warning***
MESSAGE TEXT: (one of following)
  • "To safeguard your email account from possible termination, please see the attached file."
  • "Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal."
  • "We have suspended some of your email services, to resolve the problem you should read the attached document."
  • "please look at attached document."
  • "Account Information Are Attached!"
  • "Follow the instructions in the attachment."
ATTACHMENT: ZIP, EXE, PIF, SCR or CMD file extension with one of the following basenames:
  • email-text
  • document_full
  • information
  • info-text
  • Your_details
  • IMPORTANT
  • email-info
  • email-doc
  • INFO
Example of the W32/Mytob infected email detected on campus:

From: Mail@hawaii.edu (spoofed)
Subject: Notice:***Your email account will be suspended***

We have suspended some of your email services, to resolve the problem you should read the attached document.

Attachment:
(Name: "info-text.bat") 45KB

When first run W32/Mytob-AZ copies itself to Windows System directory as LienVandeKelder.exe.

W32/Mytob-AZ creates the following registry entries so that the worm is run when a user logs on to Windows:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be "LienVandeKelder.exe"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be "LienVandeKelder.exe"
If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

 

 

W32/Sober.p@MM
(aka W32/Sober-N, W32.Sober.O@mm)
May 2, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4482 (released 5/2/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_133409.htm
Stinger Removal Tool: v2.5.4 (5/2/05) (download filename has been renamed ST1NGER.EXE as Sober.p terminates "stinger" process names)

May 2, 2005 3:00 pm HST

McAfee has raised the threat level of W32/Sober.p@MM to medium due to increased prevalence. The UH repositories have been updated. Please update your VirusScan DAT to 4482 (released 5/2/05) as soon as possible. See instructions for manually updating your VirusScan DAT files.

This virus is also known as W32/Sober-N (Sophos) and W32.Sober.O@MM (Symantec).

Virus Description

This mass mailing email worm pretends to have information about your email account or password in a .ZIP attachment. It sends itself to addresses harvested from the infected computer. The email message is constructed in German or English, depending on the domain of the recipients' email address. Once infected, the worm attempts to contact various TIME servers on TCP port 37.

These are the characteristics of the email (English version):

From: (spoofed, faked)

Subject line: One of the following:
  • mailing error
  • Registration Confirmation
  • Your email was blocked
  • Your Password
Message text: One of the following:

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached
(See attached file: < zip file name >)


Account and Password Information are attached!

Visit: < URL >

*** AntiVirus: No Virus found
*** "< vendor name >" Anti-Virus
*** < vendor url >
(See attached file: < zip file name >)


Account and Password Information are attached!

Visit: < URL >
(See attached file: < zip file name >)


Account and Password Information are attached!

Visit: < URL >

*** Server-AntiVirus: No Virus (Clean)
*** "< vendor name >" Anti-Virus
*** < vendor url >
(See attached file: < zip file name >)


ok ok ok,,,,, here is it

*** AntiVirus: No Virus found
*** "< vendor name >" Anti-Virus
*** < vendor url >
(See attached file: < zip file name >)

Attached file: One of the following:
  • mail_info.zip
  • account_info.zip
  • our_secret.zip
The attached filenames may contain an optional prefix "error-" or an optional suffix "-text" followed by the ZIP file extension.

The ZIP file will contain an executable file named Winzipped-Text_Data.txt< many spaces >.pif. This is an attempt to trick the recipient into clicking on a presumably safe text file.

When the ZIP file is extracted and the PIF file is manually executed, the virus may display a fake error message:



The worm copies itself to a newly created directory in the WINDOWS directory and creates registry run keys to load itself at system startup.
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run " WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
File Symptoms

The following files are created:
  • c:\WINDOWS\Connection Wizard\Status\fastso.ber
  • c:\WINDOWS\system32\adcmmmmq.hjg
  • c:\WINDOWS\system32\langeinf.lin
  • c:\WINDOWS\system32\nonrunso.ber
  • c:\WINDOWS\system32\seppelmx.smx
  • c:\WINDOWS\system32\xcvfpokd.tqa
The following files are MIME encoded versions of the worm in a ZIP file:
  • c:\WINDOWS\Connection Wizard\Status\packed1.sbr
  • c:\WINDOWS\Connection Wizard\Status\packed2.sbr
  • c:\WINDOWS\Connection Wizard\Status\packed3.sbr
The following files contain email related data (such as domain names)
  • c:\WINDOWS\Connection Wizard\Status\sacri1.ggg
  • c:\WINDOWS\Connection Wizard\Status\sacri2.ggg
  • c:\WINDOWS\Connection Wizard\Status\sacri3.ggg
  • c:\WINDOWS\Connection Wizard\Status\voner1.von
  • c:\WINDOWS\Connection Wizard\Status\voner2.von
  • c:\WINDOWS\Connection Wizard\Status\voner3.von
The following files are copies of the worm:
  • c:\WINDOWS\Connection Wizard\Status\csrss.exe
  • c:\WINDOWS\Connection Wizard\Status\services.exe
  • c:\WINDOWS\Connection Wizard\Status\smss.exe
Note: there are legitimate Windows files named csrss.exe, services.exe, and smss.exe in the c:\Windows\system32 directory.

Once the computer is infected, the antivirus scanner will not be able to detect the file (read-access to the file may be denied). If you suspect that your computer is infected, you will need to reboot into Safe Mode. Make sure your DAT is updated to 4482 and run a full scan of your hard drive. Delete files flagged as infected. Restart the computer in normal mode.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

 

 

W32/Bagle.dldr
(aka Trojan.Tooso.B, Troj/BagleDI-L)
March 1, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4437 (released 3/1/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_129512.htm

March 1, 2005 12:15 pm HST

McAfee has raised the risk level of W32/Bagle.dldr to medium because of increased prevalence. DAT 4437 has been released early to detect this threat. The UH repositories have been updated. Please update your VirusScan DAT by manually running "Update Now" (instructions are at http://www.hawaii.edu/antivirus/howtoupdate.html ).

New variants of this Bagle downloader have been mass-spammed in the last 12 hours. These variants are not known at present to be dropped by any mass-mailing Bagle variants, and these variants do not mass-mail themselves.

This trojan downloader attempts to download and execute a file from several remote websites into %Windows%\_re_file.exe. It attempts to disable services and delete registry keys related to security applications such as antivirus and firewall software, to rename files belonging to security applications (so they no longer run), and to block access to security-related websites by changing the Windows HOSTS file to the loopback address 127.0.0.1.

Outgoing TCP connections to port 80 (HTTP) are established and it tries to download a file from a very long list of websites (some may be decoys). Malware is downloaded and executed by some Bagle variants:
This variant copies itself to the default Windows System directory %WinDir% \system32 as WINSHOST.EXE (34,304 bytes) and adds the following registry hooks:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ DownloadManager
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
It drops a file wiwshost.exe (18,944 bytes), which is detected by 4333DATs and above as W32/Bagle.dll.gen. This file gets injected into the EXPLORER process and tries to download a file zo2.jpg from various sites. It also terminates security services like its predecessors and in some cases renames the main security program executable.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

 

 

W32/Mydoom.be@MM
February 22, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4431 (released 2/21/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131868.htm
Stinger removal tool (v2.5.2, 2/21/05)

W32/Mydoom.be@MM is similar to previous variants of Mydoom.

Virus Description:

W32/Mydoom.be@MM is a mass mailing email worm with these characteristics:
  • has its own SMTP engine to construct messages
  • harvests email addresses from the victim's computer
    • DOC, TXT, HTM, and HTML files
    • addresses from active Outlook windows
  • queries lycos, altavista, yahoo and google search engines for email addresses
  • spoofs the FROM address (pretends to be sent from an email address and may appear to be a system message or bounced email message from the Postmaster)
  • downloads the BackDoor-CEB.f trojan
  • opens various TCP ports on the victim computer
W32/Mydoom.be@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)
  • mailer-daemon@(target_domain)
  • noreply@(target_domain)
  • postmaster@(target_domain)
with display names (one of the following):
  • "Postmaster"
  • "Mail Administrator"
  • "Automatic Email Delivery Software"
  • "Post Office"
  • "The Post Office"
  • "Bounced mail"
  • "Returned mail"
  • "MAILER-DAEMON"
  • "Mail Delivery Subsystem"
SUBJECT: (one of the following):
  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error
BODY: message is blank or may be similar to the following:
Dear user of [target domain],

Your account has been used to send a huge amount of unsolicited email during the recent week.
Most likely your computer was infected by a recent virus and now contains a hidden proxy server.

We recommend that you follow instructions in order to keep your computer safe.

Have a nice day,
[target domain] support team

Dear user of [target domain]

We have received reports that your account was
used to send a large amount of junk email messages
during the last week.
Probably, your computer had been compromised and
now contains a hidden proxy server.

Please follow the instruction in the attached file
in order to keep your computer safe.

Have a nice day,
[domain] user support team.

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.
The message could not be delivered

The original message was included as attachment
The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: may be the target email address, e.g. user@hawaii.edu, or one of the following filenames:
  • README
  • INSTRUCTION
  • TRANSCRIPT
  • MAIL
  • LETTER
  • FILE
  • TEXT
  • ATTACHMENT
  • DOCUMENT
  • MESSAGE
with an optional extension of DOC, TXT, HTM, HTML followed by a number of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a ZIP file (file may be doubly ZIPped) containing a file named as described.

The virus queries four search engines to harvest addresses returned from those queries:
  • http://search.lycos.com
  • http://www.altavista.com
  • http://search.yahoo.com
  • http://www.google.com
The virus also harvests email addresses from any Outlook window that is active on the victim computer.

The virus attempts to download the backdoor trojan, BackDoor-CEB.f, from the following websites:
  • www.aartanridge.org.uk/YaBBImages/(neutered).gif
  • www.eastcoastchoons.co.uk/4play/(neutered) .JPG
  • www.foxalpha.com/charte/(neutered).jpg
  • www.ribaforada.net/banners/(neutered) .gif
  • www.sundayriders.co.uk/images/(neutered).gif
  • www.hooping.org/archives/(neutered).JPG
  • www.imogenheap.co.uk/iblog/(neutered).jpg
  • www.newgenerationcomics.net/banner/(neutered).jpg
  • ics.net/banner/(neutered).jpg <== not on W32/Mydoom.bd@MM
Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:
  • C:\WINDOWS\JAVA.EXE
It also drops the file SERVICES.EXE into this directory:
  • C:\WINDOWS\SERVICES.EXE
The following Registry keys are added to hook system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE
The following Registry keys are also added:
  • HKEY_CURRENT_USER\Software\Microsoft\Daemon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon
Various TCP ports are opened on the victim machine by the SERVICES.EXE process to listen for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

 

 

W32/Bropia.worm.p
February 18, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4430 (released 2/18/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131862.htm

W32/Bropia.worm.p spreads through MSN messenger. The user must manually run the attachment in order to get infected. However, unlike previous variants it does not drop the W32/Sdbot.worm.gen worm.

The worm drops a copy of itself into the C:\ directory using any of the following filenames:
  • c:\Beautiful A**.pif
  • c:\John Kerry as Super Chicken.scr
  • c:\Kool.pif
  • c:\Me & you pic!.pif
  • c:\Me P***ed!.pif
  • c:\sexy.pif
  • c:\She Could Fit her A** in a Teacup.pif
  • c:\she's f***in fit.pif
  • c:\titanic2.jpg.pif
(* replaces text)

A copy of the worm is dropped in %SysDir% as Isass.exe, where %SysDir% is either C:\Windows\System32 or C:\WinNT\System32.

The following registry key is hooked to run the worm at startup:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run "Isass" = %SysDir% \Isass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\RunServices "Isass" = %SysDir% \Isass.exe
The worm creates a mutex object on the infected machine using the name:
  • .:*-F*k-U-*:.
The following processes are disabled on the victim's machine to prevent the user from manually stopping and removing the worm:
  • Regedit.exe - registry editor
  • Mstask.exe - task manager
  • Msconfig.exe - configuration manager
If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

 

 

W32/Mydoom.bd@MM
February 18, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4430 (released 2/18/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131861.htm
Stinger removal tool (v2.5.1, 2/18/05)

W32/Mydoom.bd@MM is similar to other variants of Mydoom.

Virus Description:

W32/Mydoom.bd@MM is a mass mailing email worm with these characteristics:
  • has its own SMTP engine to constructs messages
  • harvests email addresses from the victim computer
  • spoofs the FROM address
  • downloads the BackDoor-CEB.f trojan
  • opens various TCP ports on the victim computer
W32/Mydoom.bd@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)
  • mailer-daemon@(target_domain)
  • noreply@(target_domain)
  • postmaster@(target_domain)
with display names (one of the following):
  • "Postmaster"
  • "Mail Administrator"
  • "Automatic Email Delivery Software"
  • "Post Office"
  • "The Post Office"
  • "Bounced mail"
  • "Returned mail"
  • "MAILER-DAEMON"
  • "Mail Delivery Subsystem"
SUBJECT: (one of the following):
  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error
BODY: message is blank or may be similar to the following:
Dear user of [target domain]

We have received reports that your account was
used to send a large amount of junk email messages
during the last week.
Probably, your computer had been compromised and
now contains a hidden proxy server.

Please follow the instruction in the attached file
in order to keep your computer safe.

Have a nice day,
[domain] user support team.

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.
The message could not be delivered

The original message was included as attachment
The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: may be an EXE file extension with one of the following extensions:
  • EXE
  • COM
  • SCR
  • PIF
  • BAT
  • CMD
It may also have the ZIP file extension and may be doubly ZIPped, e.g. a ZIPped file within a ZIP.

The attachment may use the target email address as the filename, in addition to one of the following filenames:
  • readme
  • instruction
  • transcript
  • mail
  • letter
  • file
  • text
  • attachment
  • document
  • message
The attachment may use a double extension and there may be multiple spaces between the file extensions to deceive users.

The virus harvests email addresses from .DOC, .TXT, .HTM, and .HTML files on the victim computer.

The virus queries four search engines to harvest addresses returned from those queries:
  • http://search.lycos.com
  • http://www.altavista.com
  • http://search.yahoo.com
  • http://www.google.com
The virus also harvests email addresses from any Outlook window that is active on the victim computer.

The virus attempts to download the backdoor trojan, BackDoor-CEB.f, from the following websites:
  • www.aartanridge.org.uk/YaBBImages/(neutered).gif <== not on W32/Mydoom.bc@MM
  • www.eastcoastchoons.co.uk/4play/(neutered) .JPG
  • www.foxalpha.com/charte/(neutered).jpg
  • www.ribaforada.net/banners/(neutered) .gif
  • www.sundayriders.co.uk/images/(neutered).gif
  • www.foxalpha.com/charte/(neutered).jpg
  • www.hooping.org/archives/(neutered).JPG
  • www.imogenheap.co.uk/iblog/(neutered).jpg
  • www.newgenerationcomics.net/banner/(neutered).jpg
Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:
  • C:\WINDOWS\JAVA.EXE
It also drops the file SERVICES.EXE into this directory:
  • C:\WINDOWS\SERVICES.EXE
The following Registry keys are added to hook system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE
The following Registry keys are also added:
  • HKEY_CURRENT_USER\Software\Microsoft\Daemon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon
Various TCP ports are opened on the victim machine by the SERVICES.EXE process to listen for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

 

 

W32/Mydoom.bc@MM
February 18, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4430 (released 2/18/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131860.htm
Stinger removal tool (v2.5.1, 2/18/05)

W32/Mydoom.bc@MM is similar to other variants of Mydoom.

Virus Description:

W32/Mydoom.bc@MM is a mass mailing email worm with these characteristics:
  • has its own SMTP engine to constructs messages
  • harvests email addresses from the victim computer
  • spoofs the FROM address
  • downloads the BackDoor-CEB.f trojan
  • opens various TCP ports on the victim computer
W32/Mydoom.bc@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)
  • mailer-daemon@(target_domain)
  • noreply@(target_domain)
  • postmaster@(target_domain)
with display names (one of the following):
  • "Postmaster"
  • "Mail Administrator"
  • "Automatic Email Delivery Software"
  • "Post Office"
  • "The Post Office"
  • "Bounced mail"
  • "Returned mail"
  • "MAILER-DAEMON"
  • "Mail Delivery Subsystem"
SUBJECT: (one of the following):
  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error
BODY: message is blank or may be similar to the following:
Dear user of [target domain]
We have received reports that your account was
used to send a large amount of junk email messages
during the last week.
Probably, your computer had been compromised and
now contains a hidden proxy server.

Please follow the instruction in the attached file
in order to keep your computer safe.

Have a nice day,
[domain] user support team.

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.
The message could not be delivered

The original message was included as attachment
The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: may be an EXE file extension with one of the following extensions:
  • EXE
  • COM
  • SCR
  • PIF
  • BAT
  • CMD
It may also have the ZIP file extension and may be doubly ZIPped, e.g. a ZIPped file within a ZIP.

The attachment may use the target email address as the filename, in addition to one of the following filenames:
  • readme
  • instruction
  • transcript
  • mail
  • letter
  • file
  • text
  • attachment
  • document
  • message
The attachment may use a double extension and there may be multiple spaces between the file extensions to deceive users.

The virus harvests email addresses from .DOC, .TXT, .HTM, and .HTML files on the victim computer.

The virus queries four search engines to harvest addresses returned from those queries:
  • http://search.lycos.com
  • http://www.altavista.com
  • http://search.yahoo.com
  • http://www.google.com
The virus also harvests email addresses from any Outlook window that is active on the victim computer.

The virus attempts to download the backdoor trojan, BackDoor-CEB.f, from the following websites:
  • www.eastcoastchoons.co.uk/4play/(neutered) .JPG
  • www.foxalpha.com/charte/(neutered).jpg
  • www.ribaforada.net/banners/(neutered) .gif
  • www.sundayriders.co.uk/images/(neutered).gif
  • www.foxalpha.com/charte/(neutered).jpg
  • www.hooping.org/archives/(neutered).JPG
  • www.imogenheap.co.uk/iblog/(neutered).jpg
  • www.newgenerationcomics.net/banner/(neutered).jpg
Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:
  • C:\WINDOWS\JAVA.EXE
It also drops the file SERVICES.EXE into this directory:
  • C:\WINDOWS\SERVICES.EXE
The following Registry keys are added to hook system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE
The following Registry keys are also added:
  • HKEY_CURRENT_USER\Software\Microsoft\Daemon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon
Various TCP ports are opened on the victim machine by the SERVICES.EXE process to listen for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

 

 

W32/Mydoom.bb@MM
(aka W32/MyDoom-o)
February 16, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4429 (to be released 2/16/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131856.htm

Feb. 16, 2005 2:45 pm HST

There's a new Mydoom email virus circulating on campus. W32/Mydoom.bb@MM appears to be from the mail administrator or a bounced email message and arrives with a spoofed FROM address and attachment with .ZIP, .EXE, .COM, .SCR, .PIF, .BAT or .CMD extensions. The UH mail server (mail.hawaii.edu) is blocking this virus.

McAfee VirusScan DAT 4429 (to be released 2/16/05) is required to detect this virus. Please delete messages matching this description and do NOT open any attachments. We will notify you when we receive DAT 4429 and update the UH repositories.

Virus Description:

W32/Mydoom.bb@MM is a mass mailing email worm with these characteristics:
  • has its own SMTP engine to constructs messages
  • harvests email addresses from the victim computer
  • spoofs the FROM address
  • contains a P2P (peer-to-peer) routine
  • downloads the BackDoor-CEB.f trojan
  • TCP port 1034 is opened on the victim computer
W32/Mydoom.bb@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)
  • mailer-daemon@(target_domain)
  • noreply@(target_domain)
  • postmaster@(target_domain)
with display names (one of the following):
  • "Postmaster"
  • "Mail Administrator"
  • "Automatic Email Delivery Software"
  • "Post Office"
  • "The Post Office"
  • "Bounced mail"
  • "Returned mail"
  • "MAILER-DAEMON"
  • "Mail Delivery Subsystem"
SUBJECT: (one of the following):
  • delivered
  • hello
  • hi
  • error
  • status
  • test
  • report
  • delivery failed
  • Message could not be delivered
  • Mail System Error - Returned Mail
  • Delivery reports about your e-mail
  • Returned mail: see transcript for details
  • Returned mail: Data format error
BODY: message is blank or may be similar to the following:
Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.
The message could not be delivered

The original message was included as attachment
The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND
The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: extension with one of the following names:
  • readme
  • instruction
  • transcript
  • mail
  • letter
  • file
  • text
  • attachment
  • document
  • message
The filename may have an optional extension of .DOC, .TXT, .HTM, .HTML and a final extension of .ZIP, .EXE, .COM, .BAT, .CMD, .SCR or .PIF.

The virus copies itself to folders containing the strings:
  • USERPROFILE
  • yahoo.com
Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:
  • C:\WINDOWS\JAVA.EXE
It also drops the file SERVICES.EXE into this directory:
  • C:\WINDOWS\SERVICES.EXE
The following Registry keys are added to hook system startup:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE
The following Registry keys are also added:
  • HKEY_CURRENT_USER\Software\Microsoft\Daemon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon
TCP Port 1034 is opened on the victim machine by the SERVICES.EXE process and listens for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses on destination Port 1034. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

 

 

W32/Sober.k@MM
(aka W32.Sober.j@mm)
January 31, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4424 (released 1/31/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131355.htm
Stinger removal tool (v2.4.9.2, 1/31/2005)

Jan. 31, 2005 9:30 am HST

McAfee has raised the risk of W32/Sober.k@MM (aka W32/Sober.j@mm) to medium due to increased prevalence. DAT 4424 has been released early to detect this threat. The UH repositories have been updated. Please update your VirusScan DAT to 4424 as soon as possible using "Update Now." Note: the new scan engine 4400 is required to delete and remove this virus.

Virus Description:

W32.Sober.k@MM is a mass mailing worm with the following characteristics:
  • written in German or English
  • FROM address is spoofed
  • ATTACHMENT: EMAIL_TEXT.ZIP or TEXT.ZIP (43KB)
  • The Zipped file contains the worm with filename MAIL_TEXT-INFO.TXT (many spaces) .PIF
  • When executed, Notepad opens an error message
The worm checks the country origin of the domain extension. If the domain extension is a German variant, the email message is sent in German; otherwise it is sent in English. The following is the English version of the W32/Sober.k@MM email:

From: (spoofed)
Subject: I've got YOUR email on my account!!
Body:
Hello,
First, Sorry for my very bad English!

Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but in the mail-text is a name & adress. I think it's your name and adress.

In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. lol

OK, I've copied all email text in the Windows Text-Editor and i've zipped the t ext file with WinZip. The sender of this mails is in the text file, too.

bye

Attachment:
  • EMAIL_TEXT.ZIP or
  • TEXT.ZIP
The ZIP archive contains a copy of the worm with the following filename:
  • MAIL_TEXT-INFO.TXT (many spaces) .PIF
Note: other anti-virus web sites indicate that the attachment may have other file extensions, including ZIP, PIF, SCR, BAT, COM or EXE.

The importance of the mail is set to "High" (this will only have an effect for certain mail clients).

The worm has a pool of strings which it uses to construct a random executable filename and registry keys for installing itself on the victim computer:
  • 32
  • crypt
  • data
  • diag
  • dir
  • disc
  • expoler
  • host
  • log
  • run
  • service
  • smss32
  • spool
  • sys
  • win
The constructed filename always has a EXE file extension and consists of three strings from the pool of strings. The worm Writes itself to the default Windows System directory. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). For example, SYSSPOOLDISC.EXE.

The worm adds the value:

"[random value name]" = "%System%\[random file name].exe"

to the registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
so that the worm executes every time Windows starts.

Network Symptoms:

Symptoms indicating the worm's presence on a network include:
  • outgoing messages matching the characteristics described here
  • unexpected NTP traffic on TCP port 37
  • unexpected attempts to log into several GMX accounts (POP3)
  • unexpected outgoing DNS queries DNS servers on the internet to one or more of the following domains:
    • microsoft.com
    • bigfoot.com
    • yahoo.com
    • t-online.de
    • google.com
    • hotmail.com

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

 

 

W32/Bagle.bj@MM, W32/Bagle.bk@MM
(aka W32.Beagle.az@mm)
January 27, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4423 (released 1/27/2005)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_131351.htm

Jan. 27, 2005 9:30 am HST

McAfee has released DAT 4423 early to detect a couple of new Bagle email viruses. W32/Bagle.bj@MM is rated MEDIUM due to increased prevalence and W32/Bagle.bk@MM (aka W32.Beagle.az@MM; very similar to W32/Bagle.bj@MM) is rated LOW.

W32/Bagle.bj@MM and W32/Bagle.bk are mass mailing and peer-to-peer worms with the following characteristics:
  • has its own SMTP engine to construct outgoing messages
  • harvests email addresses from the infected computer
  • FROM address is spoofed
  • ATTACHMENT has extension .EXE, SCR, .COM, or .CPL
  • terminates security and antivirus programs
  • makes changes to the registry
  • opens random TCP ports starting from port 2339 on the infected computer
  • creates infected files in folders containing phrase SHAR (often used in peer-to-peer filesharing programs)
Virus Description:

The Bagle viruses (both variants) arrive via email with these characteristics:

From : (address is spoofed)
Subject :
  • Delivery service mail
  • Delivery by mail
  • Registration is accepted
  • Is delivered mail
  • You are made active
Body Text:
  • Thanks for use of our software.
  • Before use read the help
Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)
  • wsd01
  • viupd02
  • siupd02
  • guupd02
  • zupd02
  • upd02
  • Jol03
The virus copies itself into the Windows System directory as sysformat.exe. For example:
  • * C:\WINNT\SYSTEM32\sysformat.exe
It also creates other files in this directory to perform its functions:
  • * C:\WINNT\SYSTEM32\sysformat.exeopen
  • * C:\WINNT\SYSTEM32\sysformat.exeopenopen
The following Registry key is added to hook system startup:
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "sysformat" = C:\WINNT\SYSTEM32\sysformat.exe
Additionally, the following Registry keys are added:
    * HKEY_CURRENT_USER\Software\Microsoft\Params "TimeKey"
It deletes these values
  • "My AV"
  • "ICQ Net"
from the following Registry keys, if they are present:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
  • MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
  • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
This worm attempts to terminate the process of security and antivirus programs. See McAfee article for complete list of filenames.

The virus contains a backdoor that can be used to run executable files sent to the infected computer.

The virus copies itself to folders on the infected computer that contain the phrase shar, copying itself with the following filenames:
  • 1.exe
  • 2.exe
  • 3.exe
  • 4.exe
  • 5.scr
  • 6.exe
  • 7.exe
  • 8.exe
  • 9.exe
  • 10.exe
  • Ahead Nero 7.exe
  • Windown Longhorn Beta Leak.exe
  • Opera 8 New!.exe
  • XXX hardcore images.exe
  • WinAmp 6 New!.exe
  • WinAmp 5 Pro Keygen Crack Update.exe
  • Adobe Photoshop 9 full.exe
  • Matrix 3 Revolution English Subtitles.exe
  • ACDSee 9.exe

 

 

W32/Zafi.d@MM
(aka W32.Erkez.D@mm)
December 14, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4414 (released 12/14/2004)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_130371.htm

Dec. 14, 2004 9:00 am HST

McAfee released DAT 4414 early to detect new variant W32/Zafi.d@MM. The risk level of this virus has been raised to Medium due to increased prevalence. The UH repositories have been updated. Please update your VirusScan DAT to 4414 using the manual "Update Now" method as soon as possible.

W32/Zafi.d@MM has the following characteristics:
  • contains its own SMTP engine to construct outgoing messages
  • spoofs the FROM address
  • harvests email addresses from the victim machine
  • outgoing email messages are in various languages pretending to be a holiday greeting
  • spreads via P2P filesharing
  • shuts down security services like firewalls and antivirus products
  • opens TCP port 8181 on the infected system
W32/Zafi.d@MM is a mass mailing worm that pretends to be a holiday greeting in various languages. The FROM address is spoofed and comes with an attachment. Do not open attachments from unknown users and be very cautious when opening attachments from known users. For this virus, the recipient must open the attachment before getting infected.

From: (Spoofed)

Subject: (One of the following)
  • Merry Christmas!
  • boldog karacsony...
  • Feliz Navidad!
  • ecard.ru
  • Christmas Kort!
  • Christmas Vykort!
  • Christmas Postkort!
  • Christmas postikorti!
  • Christmas - Kartki!
  • Weihnachten card.
  • Prettige Kerstdagen!
  • Christmas pohlednice
  • Joyeux Noel!
  • Buon Natale!
Body Text: (One of the following)
  • Happy HollyDays! :) [Recipient]
  • Kellemes Unnepeket! :) [Recipient]
  • Feliz Navidad! :) [Recipient]
  • :) [Recipient]
  • Glaedelig Jul! :) [Recipient]
  • God Jul! :) [Recipient]
  • God Jul! :) [Recipient]
  • Iloista Joulua! :) [Recipient]
  • Naulieji Metai! :) [Recipient]
  • Wesolych Swiat! :) [Recipient]
  • Frhliche Weihnachten! :) [Recipient]
  • Prettige Kerstdagen! :) [Recipient]
  • Vesel Vnoce! :) [Recipient]
  • Joyeux Noel! :) [Recipient]
  • Buon Natale! :) [Recipient]
Attachment: (May be one of the following)
  • Link.postcard.christmas.htm
  • card.php2662.gif.cmd
  • postcard.php8583.zip
Here is an example of an email sent by the Zafi.d worm. The graphic and format of the email are the same in other languages.


The worm also spreads via P2P (peer-to-peer) filesharing by copying itself to directories on the c: drive with the phrase share, upload or music with following filenames:
  • winamp 5.7 new!.exe
  • ICQ 2005a new!.exe
The worm tries to shutdown security services like firewalls and antivirus software. It attempts to make programs reged, msconfig, and task unavailable, making virus detection and cleanup more difficult.

The worm drops the following files to the default windows System %windir%\system32 folder:
  • C:\WINNT\system32\ .EXE - 11,745 bytes
  • C:\WINNT\system32\
  • C:\WINNT\system32\Norton Update.exe - 11,745 bytes
  • C:\WINNT\system32\ .DLL - (worm zipped up)
  • C:\s.cm - 20,552 bytes (winzip dll module)
It creates a registry key, so the file gets executed every time the machine starts:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Run "Wxp4" = C:\WINDOWS\SYSTEM32\Norton Update.exe
It creates the following registry key to store information of the worm:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4

 

 

W32/Sober.j@MM
November 19, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4409 (released 11/19/2004)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_129531.htm
Stinger Removal Tool (v.2.4.4, 11/8/04)

Nov. 19, 2004 9:00 am HST

McAfee released DAT 4409 early to detect new variant W32/Sober.j@MM. McAfee has raised the risk level of another Mydoom variant, W32/Mydoom.ah@MM, to MEDIUM due to increased prevalence and released the full 4405 DAT early to detect both W32/Mydoom.ag@MM and W32/Mydoom.ah@MM variants. Both variants are similar.

The UH repositories have been updated. Please update your VirusScan DAT to 4409 using the manual "Update Now" method as soon as possible.

W32/Sober.j@MM has the following characteristics:
  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • queries DNS and NTP servers to see if infected machine is connected to internet

    The worm attempts to connect to computers via TCP 37:
  • swisstime.ee.ethz.ch
  • ntp2.ien.it
  • ntp0-rz.rrze.uni-erlangen.de
  • FS1.ece.cmu.edu
  • ntp2.ptb.de
  • ntp-sop.inria.fr
  • lanczos.maths.tcd.ie
  • time-a.timefreq.bldrdoc.gov
  • india.colorado.edu
  • gnomon.cc.columbia.edu
  • metasweb01.admin.ch
  • vega.cbk.poznan.pl
  • time.nist.gov
  • time.nrc.ca
  • ns1.usg.edu
  • otc2.psu.edu
  • nist1.symmetricom.com
  • clock.xmission.com
  • sue.cc.uregina.ca

    For DNS, the worm attempts to connect to computers via UDP53:
  • 141.40.10.35
  • 213.218.170.6
  • 217.237.151.33
  • 213.239.234.108
  • 200.74.214.246
  • 212.242.88.2
  • 151.201.0.39
  • 82.195.234.2
  • 195.112.195.34
  • 80.148.11.231
  • 131.243.64.3
  • 129.187.16.1
  • 141.40.10.35
  • 62.39.89.71
  • 145.253.2.171
  • 195.182.96.29
  • 203.162.0.11
  • 131.174.8.14
  • 207.217.120.43
  • 216.203.115.105
  • 209.235.107.14
  • 62.156.146.242
  • 210.66.241.1
  • 194.209.114.1
  • 209.253.113.2
  • 129.187.10.25
  • 208.48.34.135
  • 217.116.224.253
  • 61.95.134.168
  • 193.158.124.143
  • 212.71.97.156
  • 192.35.232.34
  • 217.237.150.225
  • 207.69.188.186
  • 166.60.12.11

    The worm queries those servers for these domain names:
  • microsoft.com
  • bigfoot.com
  • yahoo.com
  • t-online.de
  • google.com
  • hotmail.com

    The worm copies itself twice to the system folder using a constructed filename. The filenames are built by combining the following strings and always end with ".exe"
  • sys
  • host
  • dir
  • expoler
  • win
  • run
  • log
  • 32
  • disc
  • crypt
  • data
  • diag
  • spool
  • service
  • smss32

    Body: various error messages
    Attachment: attaches a copy of itself using a constructed filename.

    The system is hooked to run the virus on start up by the following registry keys. (Note: filename and keys are constructed using the technique above)
  • HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler" Data: C:\WINNT\System32\datadiscwin.exe
  • HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx" Data: C:\WINNT\System32\cryptservice.exe %srun%
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx" Data: C:\WINNT\System32\cryptservice.exe %srun%
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32" Data: C:\WINNT\System32\datadiscwin.exe

     

     

    W32/Mydoom.ah@MM
    November 8, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4405 (released 11/9/2004)
    Minimum VirusScan scan engine: 4.3.20
    For more information: http://vil.nai.com/vil/content/v_129531.htm
    Stinger Removal Tool (v.2.4.4, 11/8/04)

    Nov. 9, 2004 7:00 am HST

    McAfee has raised the risk level of another Mydoom variant, W32/Mydoom.ah@MM, to MEDIUM due to increased prevalence and released the full 4405 DAT early to detect both W32/Mydoom.ag@MM and W32/Mydoom.ah@MM variants. Both variants are similar.

    The UH repositories have been updated. Please update your VirusScan DAT to 4405 using the manual "Update Now" method as soon as possible. Note: you do NOT need to install the SUPER EXTRA.DAT (for W32/Mydoom.ag@MM), if you have not already done so.

    Nov. 8, 2004 6:15 p.m. HST

    There is a new MyDoom variant going around -- without an attachment -- exploiting the Internet Explorer IFRAME buffer overflow vulnerability. If you receive an email matching the following description, please DELETE it. Do not click on any links in the email!

    From: Spoofed address
    Subject: (case may vary)
    • hi!
    • hey!
    • Confirmation
    • blank
    Body: (either PayPal or webcam message)

    Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

    To see details please click this link.

    DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.

    Thank you for using PayPal.

    or

    Hi! I am looking for new friends.

    My name is Jane, I am from Miami, FL.

    See my homepage with my weblog and last webcam photos!

    See you!

    or

    Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

    The mail header may contain one of the following fields:
    • X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
    • X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
    • X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software
    There is no attachment. When you click on the link or homepage hyperlink in the email, HTML code on the infected computer exploits the IE IFRAME buffer overflow vulnerability which automatically executes the virus. The hyperlink contains the IP address of the infected computer that sent the Mydoom email.

    Infected systems will have Windows Explorer listening on TCP port 1639.

    There is no patch for the Internet Explorer vulnerability (yet). Internet Explorer 6 running on Windows XP SP1 and Windows 2000 appear to be affected. Windows XP SP2 systems are not affected.

    Sophos calls this virus the Bofra worm. Their web page explains how the Mydoom (aka Bofra worm) spreads and infects computers.

     

     

    W32/Bagle.bd@MM
    (aka W32.Beagle.AW@mm)
    October 29, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4403
    Minimum VirusScan scan engine: 4.3.20
    For more information: http://vil.nai.com/vil/content/v_129511.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.4.3, 10/29/2004)

    Oct. 29, 2004 11:50 a.m. HST - McAfee released DAT 4403 early to detect new variant W32/Bagle.bd@MM due to increased prevalence. DAT 4403 will also detect W32/Bagle.bb@MM.

    W32/Bagle.bd@MM is similar to W32/Bagle.bb@MM and has the following characteristics:
    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • the attachment (filename Price, price or joke) has a EXE, SCR, COM or CPL extension
    • contains a remote access component (listens on TCP port 81)
      copies itself to folders that have the phrase SHAR in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
    • tries to terminate anti-virus and security processes, as well as other viruses, such as Netsky
    • deletes registry entries of security programs and other worms
    The worm arrives via email with the following characteristics:

    FROM: (spoofed; uses email address harvested from local computer)

    SUBJECT: (one of the following)
    • Re:
    • Re: Hello
    • Re: Thank you!
    • Re: Thanks :)
    • Re: Hi
    BODY: (one of the following)
    • :)
    • :))
    ATTACHMENT: (one of the following with EXE, SCR, COM or CPL extension)
    • Price
    • price
    • Joke
    The following paragraph applies to W32/Bagle.bd@MM only:
    If the worm is received as a CPL file and executed, it drops and executes the worm. The CPL dropper copies itself as CJECTOR.EXE within the default Windows directory. For example,

    C:\WINNT\CJECTOR.EXE
    -----W32/Bagle.bd@MM-------

    The virus copies itself into the default Windows System directory as WINGO.EXE. For example, C:\WINDOWS\SYSTEM32\wingo.exe.

    It also makes multiple copies of itself in the default Windows System directory:
    • C:\WINNT\SYSTEM32\wingo.exeopen
    • C:\WINNT\SYSTEM32\wingo.exeopenopen
    • etc.
    The system is hooked to run the virus on startup by the following Registry key entry:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "wingo" = "C:\WINDOWS\SYSTEM32\wingo.exe"
    The registry key below is added to store data within a "TimeKey" key:
    • HKEY_CURRENT_USER\Software\Params
    It creates a mutex to stop variants of virus W32/Netsky running on the infected computer.

    These files are created in folders that contain the phrase SHAR (these folders are used with peer to peer applications such as KaZaa, Bearshare, Limewire, etc.):
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe
    The worm terminates processes of the following security products if there are running on the victim machine:
    • mcagent.exe
    • mcvsshld.exe
    • mcshield.exe
    • mcvsescn.exe
    • mcvsrte.exe
    • DefWatch.exe
    • Rtvscan.exe
    • ccEvtMgr.exe
    • NISUM.EXE
    • ccPxySvc.exe
    • navapsvc.exe
    • NPROTECT.EXE
    • nopdb.exe
    • ccApp.exe
    • Avsynmgr.exe
    • VsStat.exe
    • Vshwin32.exe
    • alogserv.exe
    • RuLaunch.exe
    • Avconsol.exe
    • PavFires.exe
    • FIREWALL.EXE
    • ATUPDATER.EXE
    • LUALL.EXE
    • DRWEBUPW.EXE
    • AUTODOWN.EXE
    • NUPGRADE.EXE
    • OUTPOST.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ESCANH95.EXE
    • AVXQUAR.EXE
    • ESCANHNT.EXE
    • ATUPDATER.EXE
    • AUPDATE.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVXQUAR.EXE
    • AVWUPD32.EXE
    • AVPUPD.EXE
    • CFIAUDIT.EXE
    • UPDATE.EXE
    • NUPGRADE.EXE
    • MCUPDATE.EXE
    • pavsrv50.exe
    • AVENGINE.EXE
    • APVXDWIN.EXE
    • pavProxy.exe
    • navapw32.exe
    • navapsvc.exe
    • ccProxy.exe
    • navapsvc.exe
    • NPROTECT.EXE
    • SAVScan.exe
    • SNDSrvc.exe
    • symlcsvc.exe
    • LUCOMS~1.EXE
    • blackd.exe
    • bawindo.exe
    • FrameworkService.exe
    • VsTskMgr.exe
    • SHSTAT.EXE
    • UpdaterUI.exe
    The worm contacts a long list of websites (see http://vil.nai.com/vil/content/v_129511.htm for the complete list) to retrieve a file named G.JPG. At the time of the posting, the file was not available on any of the web sites.

     

     

    W32/Bagle.bb@MM
    (aka W32.Beagle.AV@mm)
    October 29, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4402
    Minimum VirusScan scan engine: 4.3.20
    For more information: http://vil.nai.com/vil/content/v_129509.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.4.3, 10/29/2004)

    Oct. 29, 2004 - McAfee released DAT 4402 early to detect new variant W32/Bagle.bb@MM due to increased prevalence.

    W32/Bagle.bb@MM has the following characteristics:
    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • the attachment (filename Price, price or joke) has a EXE, SCR, COM or CPL extension
    • contains a remote access component (listens on TCP port 81)
      copies itself to folders that have the phrase SHAR in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
    • tries to terminate anti-virus and security processes, as well as other viruses, such as Netsky
    • deletes registry entries of security programs and other worms
    The worm arrives via email with the following characteristics:

    FROM: (spoofed; uses email address harvested from local computer)

    SUBJECT: (one of the following)
    • Re:
    • Re: Hello
    • Re: Thank you!
    • Re: Thanks :)
    • Re: Hi
    BODY: (one of the following)
    • :)
    • :))
    ATTACHMENT: (one of the following with EXE, SCR, COM or CPL extension)
    • Price
    • price
    • Joke

    The virus copies itself into the default Windows System directory as WINGO.EXE. For example, C:\WINDOWS\SYSTEM32\wingo.exe.

    It also makes multiple copies of itself in the default Windows System directory:
    • C:\WINNT\SYSTEM32\wingo.exeopen
    • C:\WINNT\SYSTEM32\wingo.exeopenopen
    • etc.
    The system is hooked to run the virus on startup by the following Registry key entry:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "wingo" = "C:\WINDOWS\SYSTEM32\wingo.exe"
    The registry key below is added to store data within a "TimeKey" key:
    • HKEY_CURRENT_USER\Software\Params
    It creates a mutex to stop variants of virus W32/Netsky running on the infected computer.

    These files are created in folders that contain the phrase SHAR (these folders are used with peer to peer applications such as KaZaa, Bearshare, Limewire, etc.):
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe
    The worm terminates processes of the following security products if there are running on the victim machine:
    • mcagent.exe
    • mcvsshld.exe
    • mcshield.exe
    • mcvsescn.exe
    • mcvsrte.exe
    • DefWatch.exe
    • Rtvscan.exe
    • ccEvtMgr.exe
    • NISUM.EXE
    • ccPxySvc.exe
    • navapsvc.exe
    • NPROTECT.EXE
    • nopdb.exe
    • ccApp.exe
    • Avsynmgr.exe
    • VsStat.exe
    • Vshwin32.exe
    • alogserv.exe
    • RuLaunch.exe
    • Avconsol.exe
    • PavFires.exe
    • FIREWALL.EXE
    • ATUPDATER.EXE
    • LUALL.EXE
    • DRWEBUPW.EXE
    • AUTODOWN.EXE
    • NUPGRADE.EXE
    • OUTPOST.EXE
    • ICSSUPPNT.EXE
    • ICSUPP95.EXE
    • ESCANH95.EXE
    • AVXQUAR.EXE
    • ESCANHNT.EXE
    • ATUPDATER.EXE
    • AUPDATE.EXE
    • AUTOTRACE.EXE
    • AUTOUPDATE.EXE
    • AVXQUAR.EXE
    • AVWUPD32.EXE
    • AVPUPD.EXE
    • CFIAUDIT.EXE
    • UPDATE.EXE
    • NUPGRADE.EXE
    • MCUPDATE.EXE
    • pavsrv50.exe
    • AVENGINE.EXE
    • APVXDWIN.EXE
    • pavProxy.exe
    • navapw32.exe
    • navapsvc.exe
    • ccProxy.exe
    • navapsvc.exe
    • NPROTECT.EXE
    • SAVScan.exe
    • SNDSrvc.exe
    • symlcsvc.exe
    • LUCOMS~1.EXE
    • blackd.exe
    • bawindo.exe
    • FrameworkService.exe
    • VsTskMgr.exe
    • SHSTAT.EXE
    • UpdaterUI.exe
    The worm contacts a long list of websites (see http://vil.nai.com/vil/content/v_129509.htm for the complete list) to retrieve a file named G.JPG. At the time of the posting, the file was not available on any of the web sites.

     

     

    W32/Netsky.ag@MM
    October 14, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4399
    Minimum VirusScan scan engine: 4.3.20
    For more information: http://vil.nai.com/vil/content/v_128905.htm

    McAfee has released DAT 4399 early due to the increase in prevalence of a new variant W32/Netsky.ag@MM mass mailing worm. The UH repositories have been updated. Please update your McAfee VirusScan DAT to 4399 as soon as possible using the manual "Update Now" method.

    Virus Description
    -----------------
    W32/Netsky.az@MM has the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • harvests email addresses from the victim machine
  • the From: address of messages is spoofed
  • copies itself to local folders containing the string share or sharing, network shares and P2P shared folders.

    When run, the worm displays a message box "File corrupted replace this!"

    The virus copies itself into the default Windows System directory as MsnMsgrs.EXE. For example, C:\WINDOWS\SYSTEM32\MsnMsgrs.exe

    The system is hooked to run the virus on startup by the following Registry key entry:

    HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run "MsnMsgr" = %WinDir%\MsnMsgrs.exe -alev

    It copies itself to Windows directory as the following files:
  • Agradou.zip
  • agua!.zip
  • AIDS!.zip
  • aqui.zip
  • banco!.zip
  • bingos!.zip
  • botao.zip
  • brasil!.zip
  • carros!.zip
  • circular.zip
  • contas!!.zip
  • criancas!.zip
  • diga.zip
  • dinheiro!!.zip
  • docs.zip
  • email.zip
  • festa!!.zip
  • flipe.zip
  • grana!!.zip
  • grana.zip
  • imposto.zip
  • impressao!!.zip
  • jogo!.zip
  • lantrocidade.zip
  • LINUSTOR.zip
  • loterias.zip
  • lulao!.zip
  • massas!.zip
  • missao.zip
  • MsnMsgrs.exe
  • revista.zip
  • robos!.zip
  • sampa!!.zip
  • sorteado!!.zip
  • tetas.zip
  • vaca.zip
  • vadias!.zip
  • vips!.zip
  • Voce.zip
  • war3!.zip
  • Zerado.zip

    The Subject: field may contain one of the following subjects
  • 0123456789
  • Abra rapido isso!!!!
  • acrdito que em voce!!!
  • algo a mais
  • AmaVoce
  • amor me liga
  • AninhaPutinha +55operado6992292246
  • arquivo zipado PGP???
  • Boleto Pague
  • campanhadafome
  • encontro voce!
  • estou doente veja!!!
  • falea verdade!!!
  • ferias nos E.U.A
  • ganhe muita grana
  • gostaria disso e voce???
  • grana
  • Hackers do Brasil
  • Lembra?
  • me diz o queacha?
  • me veja peladinha
  • Medical Labs Exames!!!
  • meu telefone liga
  • olha que isso!!!
  • parabens!
  • PizzaVeneza!
  • Policia SP
  • pq nao me liga??
  • preenche ai ta bom
  • promocao de viajens de fim de ano
  • Proposta de emprego!!
  • receitas de bolo!!
  • retorna logo isso!!
  • reza de sao tome!!!!.
  • sinto voce!!
  • sua conta bancaria zerada
  • Sua Conta!!
  • Surto :(
  • te amo!
  • tudo sobre voce sabe
  • Vacina contra o HIV!!
  • ve ai logo ta
  • veja detalhes!!!.
  • veja o que tem no zip e me liga
  • voce passou :D!!!

    The Attachment: field may contain one of the following
  • agradou
  • agua!
  • AIDS!
  • banco!
  • bingos!
  • botao
  • brasil!
  • carros!
  • circular
  • contas!!
  • criancas!
  • dinheiro!!
  • email
  • festa!!
  • flipe
  • grana
  • grana!!
  • imposto
  • impressao!!
  • jogo!
  • lantrocidade
  • LINUSTOR
  • loterias
  • lulao!
  • massas!
  • missao
  • morto
  • pescaria por kilo
  • revista
  • robos!
  • sampa!!
  • sorteado!!
  • Sua saude esta bem?
  • tetas
  • vadias!
  • vips!
  • war3!
  • zerado

    The body: field may contain one of the following:
  • PizzaVeneza!
  • preenche ai ta bom
  • encontro voce!
  • veja detalhes!!!.
  • reza de sao tome!!!!.
  • Abra rapido isso!!!!
  • AmaVoce
  • AMA!
  • ve ai logo ta
  • voce passou :D!!!
  • arquivo zipado PGP???
  • retorna logo isso!!
  • me diz o queacha?
  • estou doente veja!!!
  • Proposta de emprego!!
  • tudo sobre voce sabe
  • promocao de viajens de fim de ano
  • acrdito que em voce!!!
  • receitas de bolo!!
  • veja o que tem no zip e me liga
  • Boleto Pague
  • Sua Conta!!
  • Policia SP
  • te amo!
  • parabens!
  • olha que isso!!!
  • sua conta bancaria zerada
  • Vacina contra o HIV!!
  • Surto :(
  • ferias nos E.U.A
  • meu telefone liga
  • Medical Labs Exames!!!
  • Hackers do Brasil
  • amor me liga
  • Lembra?
  • grana
  • sinto voce!!
  • pq nao me liga??
  • vaca
  • campanhadafome
  • ganhe muita grana
  • falea verdade!!!
  • algo a mais
  • gostaria disso e voce???
  • me veja peladinha

    FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

    If you need more assistance, please contact the ITS Help Desk at 808-956-8883, 800-558-2669 (toll free from neighbor islands), or email help@hawaii.edu.

    W32/Bagle.az@MM
    (aka W32.Beagle.AR@mm)
    September 28, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4395
    Minimum VirusScan scan engine: 4.3.20
    For more information: http://vil.nai.com/vil/content/v_128582.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.4.0, 9/28/2004)

    September 28, 2004 3:15 pm HST

    McAfee has released DAT 4395 early to detect a new variant W32/Bagle.az@MM (aka W32.Beagle.AR@mm) mass mailing worm. The UH repositories have been updated. Please update your McAfee VirusScan DAT to 4395 as soon as possible using the manual "Update Now" method.

    JPEG (GDI+) Critical Windows Vulnerability (MS04-028)

    This is worth repeating... especially since W32/Bagle.az worm downloads a .JPG file.

    On Sept. 14, Microsoft announced the JPEG (GDI+) vulnerability in security bulletin MS04-028 affecting Windows operating systems, as well as applications, such as Microsoft Office, Visio, Visual Studio, .NET Framework, and others. Go to http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx for details and patches. This is a CRITICAL update. A specially crafted JPEG can contain code for remote code execution. Code exploiting the JPEG vulnerability was posted to Usenet a few days ago.

    Please patch your Windows system (go to http://windowsupdate.microsoft.com) and Microsoft Office (go to http://officeupdate.microsoft.com) as soon as possible.

    SANS has released its own GDI scanner (since the Microsoft tool is not too helpful). It checks for vulnerable DLLs on your system (Windows 2000 and higher). Download from http://isc.sans.org/gdiscan.php.

    Virus Description

    W32/Bagle.az@MM has the following characteristics:

    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • the attachment (filename price or joke) has a EXE, SCR, COM or CPL extension
    • contains a remote access component (listens on TCP port 81 and a random UDP port)
    • copies itself to folders that have the phrase SHAR in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
    • tries to disable anti-virus and security processes, as well as other viruses, such as Netsky
    The worm arrives via email with the following characteristics:

    FROM: (spoofed; uses email address harvested from local computer)

    SUBJECT: (one of the following)
    • Re:
    • Re: Hello
    • Re: Thank you!
    • Re: Thanks :)
    • Re: Hi
    BODY: (one of the following)
    • :)
    • :))
    ATTACHMENT: (one of the following with EXE, SCR, COM or CPL extension)
    • Price
    • price
    • Joke
    The virus copies itself into the default Windows System directory as BAWINDO.EXE. For example, C:\WINDOWS\SYSTEM32\bawindo.exe.

    It also creates other files in the default Windows System directory:
    • C:\WINDOWS\SYSTEM32\bawindo.exeopen
    • C:\WINDOWS\SYSTEM32\bawindo.exeopenopen
    The system is hooked to run the virus on startup by the following Registry key entry:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"
    It creates a mutex to stop variants of virus W32/Netsky running on the infected computer.

    These files are created in folders that contain the phrase SHAR (these folders are used with peer to peer applications such as KaZaa, Bearshare, Limewire, etc.):
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe
    The worm removes registry keys for other worms and security products:
  • "My AV"
  • "Zone Labs Client Ex"
  • "9XHtProtect"
  • "Antivirus"
  • "Special Firewall Service"
  • "service"
  • "Tiny AV"
  • "ICQNet"
  • "HtProtect"
  • "NetDy"
  • "Jammer2nd"
  • "FirewallSvr"
  • "MsInfo"
  • "SysMonXP"
  • "EasyAV"
  • "PandaAVEngine"
  • "Norton Antivirus AV"
  • "KasperskyAVEng"
  • "SkynetsRevenge"
  • "ICQ Net" that are listed in these registry keys:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run
    The worm contacts a long list of websites to retrieve a file named WS.JPG. At the time of the posting, the file was not available on any of the web sites. See http://vil.nai.com/vil/content/v_128582.htm for the complete list of web sites.

    FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

    If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

     

     

    W32/Mydoom.s@MM
    (aka W32.Mydoom.Q@mm)
    August 16, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4386
    Minimum VirusScan scan engine: 4.3.20
    For more information: http://vil.nai.com/vil/content/v_127616.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.9, 8/16/2004)

    August 16, 2004 2:30 pm HST

    A new variant of MyDoom has been released... W32/MyDoom.s@MM has been raised to MEDIUM risk by McAfee due to increased prevalence. This email virus spreads with a spoofed (forged, pretending to be someone else) FROM address and attachment photos_arc.exe. The virus harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages. The harvested addresses are sent the virus. The virus downloads a backdoor trojan, BackDoor-CHR, from 2 websites.

    As a pre-caution, please DELETE suspicious email with attachments, even from people you know. Do not even try to open the attachment. If you try to open the attachment (and it doesn't successfully open), your Windows computer will get infected.

    W32/Mydoom.s@MM arrives in email with the following characteristics:

    FROM: (spoofed, forged)

    may use email address harvested from infected computer or use a list of common names with domain t-online.de, mail.com, yahoo.com, hotmail.com or the domain used for your Internet account

    SUBJECT: photos
    BODY: LOL!;))))
    ATTACHMENT: photos_arc.exe

    When the attachment is run, the virus copies itself to the default WINDOWS (C:\Windows or C:\Winnt) directory as rasor38a.dll, and to the default Windows SYSTEM (C:\Windows\System, C:\Winnt\System32, or C:\Windows\System32) directory as winpsd.exe.

    The virus creates the following registry key values:

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "winpsd" = C:\WINDOWS\System32\winpsd.exe
    The virus downloads a backdoor component from two different websites:
    • www.richcolour.com
    • zenandjuice.com

    FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

    If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

     

     

    BackDoor-CHR
    (aka Backdoor.Nemog)
    August 16, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4386
    Minimum VirusScan scan engine: 4.3.20
    For more information: http://vil.nai.com/vil/content/v_127617.htm

    August 16, 2004 2:30 pm HST

    W32/Mydoom.s@MM downloads the remote access trojan, BackDoor-CHR, which has the following characteristics:

    • stealths (hides) its activity on the victim machine
    • serves as a HTTP proxy
    • serves as an SMTP relay
    • attempts to connect to numerous remote IRC servers (for remote reporting/command)
    • appends the local hosts file (in an attempt to disable updating of many AV products)
    The trojan attempts to connect to a remote IRC server to await commands. It carries a list of IP addresses and relevant ports (4661, 4242, 8080, and 3306) for many IRC servers (see virus description for list of servers and ports).

    When executed, the trojan copies itself to the startup folder on the victim machine, as DX32HHLP.EXE. For example:
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DX32HHLP.EXE
    The trojan also drops a 4,096 byte kernel mode driver used for stealthing:
    • %SYSTEMROOT%\SYSTEM32\DX32HHEC.SYS
    This component is installed as a service on the victim machine. The service information is stored within the following key:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\dx32hhec
    The service bears the following characteristics:

    Display name: dx32hhec
    Image Path: %SYSTEMROOT%\SYSTEM32\dx32hhec.sys
    Startup: Automatic

    Note: Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods. You must boot into Safe Mode to detect and remove this trojan.

    The trojan appends the local hosts file on the victim machine, redirecting requests for many antivirus and security vendor web sites and update sites to the local host, i.e. the infected computer. Such modified hosts files are detected (and repaired) as QHosts.apd with the 4352 DATs or greater.

    Two ports (exact port numbers used vary) are opened by the trojan. For example, TCP 33167 and 33170 were opened in testing.

    If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

     

     

    W32/Bagle.aq@MM
    (aka W32.Beagle.ao@mm)
    August 9, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4384
    Minimum VirusScan scan engine: 4.3.40
    For more information: http://vil.nai.com/vil/content/v_127423.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.8, 8/9/2004)

    August 9, 2004 11:30 am HST

    McAfee released VirusScan DAT 4384 to detect W32/Bagle.aq@MM. DAT 4384 has been posted to the UH repositories. Please update your VirusScan DAT as soon as possible using the manual " Update Now" method.

    W32/Bagle.aq@MM spreads via email with a spoofed FROM address and a .ZIP attachment (which contains an EXE and HTML file). The EXE file (same name as the ZIP file) is contained within a folder in the ZIP file so when it is viewed with Explorer (instead of a stand-alone ZIP utility such as WinZip or PKzip) only the HTML file and a folder is visible.

    The HTML file contains exploit code which will automatically run the EXE file, which is a downloader trojan, on vulnerable Windows systems. The downloader trojan contacts a large number of websites to retrieve the virus itself.

    The worm harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages.

    Warning: since the Bagle source code was released on the Internet in early July 2004, please expect more Bagle variants to be released. As a pre-caution, please DELETE suspicious email with attachments, even from people you know. The current viruses spoof or forge the FROM address, pretending to be sent from someone else. If you try to open the attachment (even if it doesn't successfully open), your Windows computer will get infected.

    W32/Bagle.aq@MM arrives in email with the following characteristics:

    FROM: (spoofed or forged address)

    SUBJECT: (blank)

    BODY:

    • new price
    ATTACHMENT (one of the following):
    • price.zip
    • price2.zip
    • price_new.zip
    • price_08.zip
    • 08_price.zip
    • newprice.zip
    • new_price.zip
    • new__price.zip
    The ZIP file contains PRICE.EXE and PRICE.HTML files.

    When the HTML file is run on a vulnerable system, it will run the EXE file. When the EXE file is run (manually or automatically by the HTML file), it copies itself in the default Windows System directory as WINDIRECT.EXE. For example,

    C:\WINNT\SYSTEM32\WINdirect.exe

    It also drops a DLL file in this directory:
    • _dll.exe
    The DLL file is injected into the Explorer.exe process, so its actions will appear to have originated from Explorer.exe.

    The following Registry keys are added to hook system startup:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "win_upd2.exe" = C:\WINNT\SYSTEM32\windll.exe
    Once the virus executable is downloaded and run by the downloader trojan, the virus copies itself into the Windows System directory as WINDLL.EXE. For example:
    • C:\WINNT\SYSTEM32\windll.exe
    It also creates other files in this directory to perform its functions:
    • C:\WINNT\SYSTEM32\windll.exeopen
    • C:\WINNT\SYSTEM32\windll.exeopenopen
    The following Registry key is added to hook system startup:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "erthgdr" = "C:\WINNT\SYSTEM32\windll.exe"
    Additionally, the following Registry keys are added:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Ru1n
    A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
    • 'D'r'o'p'p'e'd'S'k'y'N'e't'
    • _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
    • [SkyNet.cz]SystemsMutex
    • AdmSkynetJklS003
    • ____--->>>>U<<<<--____
    • _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
    It opens TCP port 80 and a random UDP port on the infected machine for remote connections.

    It attempts to delete registry entries for several security and anti-virus products from these registry keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    deleting any values that contain these strings:
    • My AV
    • Zone Labs Client Ex
    • 9XHtProtect
    • Antivirus
    • Special Firewall Service
    • service
    • Tiny AV
    • ICQNet
    • HtProtect
    • NetDy
    • Jammer2nd
    • FirewallSvr
    • MsInfo
    • SysMonXP
    • EasyAV
    • PandaAVEngine
    • Norton Antivirus AV
    • KasperskyAVEng
    • SkynetsRevenge
    • ICQ Net
    It attempts to copy itself in any folder with the characters SHAR in its folder name with the following file names:
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe
    The SHAR folders are often used in peer-to-peer (P2P) filesharing programs such as KaZaa, Bearshare, Limeware, etc.

    FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

    If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

     

     

    W32/Mydoom.o@MM
    July 26, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium on Watch
    Minimum VirusScan DAT: 4381
    Minimum VirusScan scan engine: 4.3.20
    For more information: http://vil.nai.com/vil/content/v_127033.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.5, 7/26/2004)

    July 26, 2004 9:00 am HST

    A new variant of MyDoom has been released... W32/MyDoom.o@MM has been raised to MEDIUM on WATCH risk by McAfee due to increased prevalence. This email virus spreads with a spoofed (forged, pretending to be someone else) FROM address and attachment with .EXE, .COM, .SCR, .PIF, .BAT, .CMD and .ZIP file extension. If the attachment is a ZIP archive, the it may be double ZIPped, i.e. a .ZIP within a .ZIP.

    The attachment's file extension may use a double extension and there may be multiple spaces between the file extensions to fool users.

    The virus harvests email addresses from files (.doc, .txt, .htm, .html) on the infected computer and from any active Microsoft Outlook window. It uses its own SMTP engine to construct outgoing messages. It queries four search engines to harvest email addresses:

    • http://search.lycos.com
    • http://www.altavista.com
    • http://search.yahoo.com
    • http://www.google.com
    The messages may appear to be a bounced message from a mail server with FROM addresses similar to mailer-daemon@(target_domain) or noreply@(target_domain).

    The virus contains a remote access component, listening to TCP port 1034.

    It also copies itself to folders with the strings USERPROFILE or yahoo.com in the folder name, commonly used by peer-to-peer applications.

    As a pre-caution, please DELETE suspicious email with attachments, even from people you know. Do not even try to open the attachment. If you try to open the attachment (and it doesn't successfully open), your Windows computer will get infected.

    W32/Mydoom.o@MM arrives in email with the following characteristics:

    FROM: (spoofed, forged)

    SUBJECT: (one of the following)
    • hello
    • hi
    • error
    • status
    • test
    • report
    • delivery failed
    • Message could not be delivered
    • Mail System Error - Returned Mail
    • Delivery reports about your e-mail
    • Returned mail: see transcript for details
    • Returned mail: Data format error
    ATTACHMENT: (extension EXE, COM, SCR, PIF, BAT, CMD, ZIP)

    Target email address as filename or one of the following:
    • README
    • INSTRUCTION
    • TRANSCRIPT
    • MAIL
    • LETTER
    • FILE
    • TEXT
    • ATTACHMENT
    • DOCUMENT
    • MESSAGE
    If the W32/Mydoom.o@MM email appears to be a bounced message, it will have one of the following SUBJECT lines:
    • "Automatic Email Delivery Software"
    • "Bounced mail"
    • "MAILER-DAEMON"
    • "Mail Administrator"
    • "Mail Delivery Subsystem"
    • "Post Office"
    • "Returned mail"
    • "The Post Office"
    with the following BODY text:
    =======begin body text==========
    Dear user of [TargetDomain],

    We have received reports that your account was used to send a large amount of junk email messages during the last week. Probably, your computer had been compromised and now contains a hidden proxy server.

    Please follow the instruction in the attached file in order to keep your computer safe.

    Have a nice day,
    [TargetDomain] user support team.
    =======end body text================

    Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:
    • C:\WINDOWS\JAVA.EXE
    It also drops the file SERVICES.EXE (8,192 bytes) into this directory:
    • C:\WINDOWS\SERVICES.EXE
    Note: there is a legitimate Windows system file in %WinDir%\System32 with filename SERVICES.EXE which must NOT be deleted. Make sure to check the file size.

    The following Registry keys are added to hook system startup:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
      \Run "JavaVM" = %WinDir%\JAVA.EXE
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
      \Run "Services" = %WinDir%\SERVICES.EXE
    The following Registry keys are also added:
    • HKEY_CURRENT_USER\Software\Microsoft\Daemon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon
    FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

    If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

     

     

    W32/Bagle.ai@MM
    (aka W32.Beagle.ag@mm)
    July 19, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4379
    Minimum VirusScan scan engine: 4.3.40
    For more information: http://vil.nai.com/vil/content/v_126798.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.4, 7/19/2004)

    July 19, 2004 1:35 pm HST

    McAfee released VirusScan DAT 4379 to detect W32/Bagle.ai@MM. Please update your VirusScan DAT as soon as possible using the manual "Update Now" method.

    W32/Bagle.ai@MM spreads via email with a spoofed FROM address and attachment with .EXE, .SCR, .COM, .CPL, and .ZIP (password protected) file extension. If the attachment is a .ZIP file, the password will be contained in the body of the message. It harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages.

    Warning: since the Bagle source code was released on the Internet earlier this month, please expect more Bagle variants to be released. As a pre-caution, please DELETE suspicious email with attachments, even from people you know. If you try to open the attachment (even if it doesn't successfully open), your Windows computer will get infected.

    W32/Bagle.ai@MM arrives in email with the following characteristics:

    FROM: (spoofed address)

    SUBJECT:

    • Re:
    BODY:
    • >foto3 and MP3
    • >fotogalary and Music
    • >fotoinfo
    • >Lovely animals
    • >Animals
    • >Predators
    • >The snake
    • >Screen and Music
    ATTACHMENT (one of the following):
    • MP3
    • Music_MP3
    • New_MP3_Player
    • Cool_MP3
    • Doll
    • Garry
    • Cat
    • Dog
    • Fish
    ATTACHMENT extension (one of the following):
    • .EXE
    • .SCR
    • .COM
    • .CPL
    • .ZIP
    If the attachment is a password-protected ZIP archive, the password is included in the message body.

    BODY: (one of the following)
    • Password: (random number)
    • Pass - (random number)
    • Key - (random number)
    The password-protected ZIP files may also contain a second, randomly-named benign file with extension .INI, .CFG, .TXT, .VXD, .DEF, and .DLL. These files contain random characters.

    The virus copies itself in the default Windows System directory as WinXP.EXE. For example,

    C:\WINNT\SYSTEM32\WinXP.exe

    It also creates other files in the same directory to perform its functions:
    • %SysDir% \WinXP.exeopen
    • %SysDir% \WinXP.exeopen open
    • %SysDir% \WinXP.exeopen openopen
    • %SysDir% \WinXP.exeopen openopenopen
    It adds the following Registry key to hook itself on system startup:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      "key " = "%SysDir%\WinXP.exe"
    The worm attempts to terminate various security programs and other worms, i.e. Netsky. It opens a backdoor on TCP port 1080 and UDP port 1040 on the infected machine.

    It attempts to delete registry entries for several security and anti-virus products from these registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    deleting any values that contain these strings:
    • My AV
    • Zone Labs Client Ex
    • 9XHtProtect
    • Antivirus
    • Special Firewall Service
    • service
    • Tiny AV
    • ICQNet
    • HtProtect
    • NetDy
    • Jammer2nd
    • FirewallSvr
    • MsInfo
    • SysMonXP
    • EasyAV
    • PandaAVEngine
    • Norton Antivirus AV
    • KasperskyAVEng
    • SkynetsRevenge
    • ICQ Net
    It attempts to copy itself in any folder with the characters SHAR in its folder name with the following file names:
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe
    The SHAR folders are often used in peer-to-peer (P2P) filesharing programs such as KaZaa, Bearshare, Limeware, etc.

    FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

    If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

     

     

    W32/Bagle.ag@MM
    (aka W32.Beagle.ac@mm)
    July 19, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4378
    Minimum VirusScan scan engine: 4.3.40
    For more information: http://vil.nai.com/vil/content/v_126795.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.3, 7/19/2004)

    July 19, 2004 8:15 am HST

    McAfee has released DAT 4378 to detect W32/Bagle.ag@MM. Please update your VirusScan DAT as soon as possible using the manual "Update Now" method. Note: DAT 4378 detects the password-protected ZIP attachment for W32/Bagle.af@MM virus from last week.

    W32/Bagle.ag@MM spreads via email with a spoofed FROM address and attachment with .EXE, .SCR, .COM, .CPL, and .ZIP (password protected) file extension. If the attachment is a .ZIP file, the password will be contained in the body of the message (plain text or image). It harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages.

    W32/Bagle.ag@MM arrives in email with the following characteristics:

    FROM: (spoofed address)

    SUBJECT (one of the following):

    • Password: %s
    • Pass - %s
    • Key - %s
    • Re:
    • foto3
    • fotogalary
    • fotoinfo
    • Lovely animals
    • Animals
    • Predators
    • The snake
    • Screen
    BODY:
      (blank)
    ATTACHMENT (one of the following):
    • foto3
    • foto2
    • foto1
    • Secret
    • Doll
    • Garry
    • Cat
    • Dog
    • Fish
    ATTACHMENT extension (one of the following):
    • .EXE
    • .SCR
    • .COM
    • .CPL
    • .ZIP
    If the attachment is a password-protected ZIP archive, the email has the password in the message body as a bitmap image:

    BODY: (one of the following)
    • Password: (Image File)
    • Pass - (Image File)
    • Key - (Image File)
    • :)(Image File)
    The password-protected ZIP files may also contain a second, randomly-named benign file with extension .INI, .CFG, .TXT, .VXD, .DEF, and .DLL. These files contain random characters.

    The virus copies itself in the default Windows System directory as SYS_XP.EXE. For example,

    C:\WINNT\SYSTEM32\sys_xp.exe

    It also creates copies of itself (with garbage appended) in the same directory:
    • sys_xp.exeopen
    • sys_xp.exeopenopen
    It adds the following Registry key to hook itself on system startup:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      "key " = "C:\WINNT\System32\sys_xp.exe"
    The worm attempts to terminate various security programs and other worms, i.e. Netsky. It opens a backdoor on TCP port 1080 on the infected machine.

    These are the programs that it attempts to terminate:
    • My AV
    • Zone Labs Client Ex
    • 9XHtProtect
    • Antivirus
    • Special Firewall Service
    • service
    • Tiny AV
    • ICQNet
    • HtProtect
    • NetDy
    • Jammer2nd
    • FirewallSvr
    • MsInfo
    • SysMonXP
    • EasyAV
    • PandaAVEngine
    • Norton Antivirus AV
    • KasperskyAVEng
    • SkynetsRevenge
    • ICQ Net
    It attempts to copy itself in any folder with the characters SHAR with the following file names:
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe
    The SHAR folders are often used in peer-to-peer (P2P) filesharing programs such as KaZaa, Bearshare, Limeware, etc.

    FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

    If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

     

     

    W32/Bagle.af@MM
    (aka W32.Beagle.ab@mm)
    July 15, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium on Watch
    Minimum VirusScan DAT: 4377
    Minimum VirusScan scan engine: 4.3.40
    For more information: http ://vil.nai.com/vil/content/v_126792.htm
    http://www.sophos.com/virusinfo/analyses/w32bagleaf.html
    http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.ab@mm.html
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.2, 7/15/2004)

    July 15, 2004 7:30 pm HST

    McAfee has released DAT 4377 to detect W32/Bagle.af@MM. Please update your VirusScan DAT as soon as possible using the manual "Update Now" method.

    W32/Bagle.af@MM spreads via email with a spoofed FROM address and attachment with .EXE, .SCR, .COM, .CPL, and .ZIP file extension. If the attachment is a .ZIP file, the password will be contained in the body of the message (plain text or image). It harvests email addresses from files on the infected computer.

    W32/Bagle.af@MM arrives in email with the following characteristics:

    FROM: (spoofed address)

    SUBJECT (one of the following):

    • Re: Msg reply
    • Re: Hello
    • Re: Yahoo!
    • Re: Thank you!
    • Re: Thanks :)
    • RE: Text message
    • Re: Document
    • Incoming message
    • Re: Incoming Message
    • RE: Incoming Msg
    • RE: Message Notify
    • Notification
    • Changes..
    • Update
    • Fax Message
    • Protected message
    • RE: Protected message
    • Forum notify
    • Site changes
    • Re: Hi
    • Encrypted document
    BODY (one of the following):
    • Read the attach.
    • Your file is attached.
    • More info is in attach
    • See attach.
    • Please, have a look at the attached file.
    • Your document is attached.
    • Please, read the document.
    • Attach tells everything.
    • Attached file tells everything.
    • Check attached file for details.
    • Check attached file.
    • Pay attention at the attach.
    • See the attached file for details.
    • Message is in attach
    • Here is the file.
    ATTACHMENT (one of the following):
    • Information
    • Details
    • text_document
    • Updates
    • Readme
    • Document
    • Info
    • MoreInfo
    • Message
    ATTACHMENT extension (one of the following):
    • .exe
    • .scr
    • .com
    • .cpl
    • .zip
    If the attachment is a password-protected ZIP archive, the email has the following characteristics:

    SUBJECT: (one of the following)
    • Password:
    • Pass -
    • Password -
    BODY: (one of the following)
    • For security reasons attached file is password protected. The password is
    • For security purposes the attached file is password protected. Password --
    • Note: Use password to open archive.
    • Attached file is protected with the password for security reasons. Password is
    • In order to read the attach you have to use the following password:
    • Archive password:
    • Password -
    • Password:
    The password-protected ZIP files may also contain a second, randomly-named benign file with extension .INI, .CFG, .TXT, .VXD, .DEF, and .DLL. These files will contain random garbage characters.

    The virus copies itself in the default Windows System directory as SYSXP.EXE. For example,

    C:\WINNT\SYSTEM32\sysxp.exe

    It also creates copies of itself (with garbage appended) in the same directory:
    • sysxp.exeopen
    • sysxp.exeopenopen
    It adds the following Registry key to hook itself on system startup:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      "key " = "C:\WINNT\System32\sysxp.exe"
    The worm attempts to terminate various security programs and other worms, i.e. Netsky. It opens a backdoor on TCP port 1080 and random UDP ports.

    These are the programs that it attempts to terminate:
    • My AV
    • Zone Labs Client Ex
    • 9XHtProtect
    • Antivirus
    • Special Firewall Service
    • service
    • Tiny AV
    • ICQNet
    • HtProtect
    • NetDy
    • Jammer2nd
    • FirewallSvr
    • MsInfo
    • SysMonXP
    • EasyAV
    • PandaAVEngine
    • Norton Antivirus AV
    • KasperskyAVEng
    • SkynetsRevenge
    • ICQ Net
    It attempts to copy itself in any folder with the characters SHAR with the following file names:
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe
    The SHAR folders are often used in peer-to-peer (P2P) filesharing programs such as KaZaa, Bearshare, Limeware, etc.

    FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

    If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

     

     

    W32/Bagle.ad@MM
    (aka W32.Beagle.Y@mm)
    July 5, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4373 (released 7/5/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_126562.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.0, updated 7/5/2004)

    July 5, 2004 3:00 pm HST

    McAfee has raised the risk level of W32/Bagle.ad@MM to MEDIUM due to increased prevalence and media attention. McAfee VirusScan DAT 4373 detects this threat and has been updated on the UH repositories.

    Please update your VirusScan DAT to 4373 as soon as possible using the manual "Update Now" method. The ITS mail server (mail.hawaii.edu) is scanning for this threat.

    The worm includes a copy of its assember source code. Expect to see more Bagle variants released soon based on this source code, i.e.different port number used by backdoor, backdoor password, date of expiry, etc.

    W32/Bagle.ad@MM spreads via email with a spoofed FROM address and attachment with .HTA, .VBS, .EXE, .SCR, .COM, .CPL, and .ZIP file extension. If the attachment is a .ZIP file, the password will be contained in the body of the message (plain text or image ). It harvests email addresses from files on the infected computer.

    W32/Bagle.ad@MM arrives in email with the following characteristics:

    SUBJECT (one of the following):

    • Changes..
    • Encrypted document
    • Fax Message
    • Forum notify
    • Incoming message
    • Notification
    • Protected message
    • Re: Document
    • Re: Hello
    • Re: Hi
    • Re: Incoming Message
    • RE: Incoming Msg
    • RE: Message Notify
    • Re: Msg reply
    • RE: Protected message
    • RE: Text message
    • Re: Thank you!
    • Re: Thanks :)
    • Re: Yahoo!
    • Site changes
    • Update
    BODY (one of the following):
    • Attach tells everything.
    • Attached file tells everything.
    • Check attached file for details.
    • Check attached file.
    • Here is the file.
    • Message is in attach
    • More info is in attach
    • Pay attention at the attach.
    • Please, have a look at the attached file.
    • Please, read the document.
    • Read the attach.
    • See attach.
    • See the attached file for details.
    • Your document is attached.
    • Your file is attached.
    ATTACHMENT (one of the following):
    • Information
    • Details
    • text_document
    • Updates
    • Readme
    • Document
    • Info
    • MoreInfo
    • Message
    ATTACHMENT extension (one of the following):
    • .hta
    • .vbs
    • .exe
    • .scr
    • .com
    • .cpl
    • .zip
    The virus copies itself in the default Windows System directory as LOADER_NAME.EXE. For example,
      C:\WINNT\SYSTEM32\loader_name.exe
    It also creates copies of itself with garbage appended in the same directory:
    • loader_name.exeopen
    • loader_name.exeopenopen
    It adds the following Registry key to hook itself on system startup:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "reg_key " = "C:\WINNT\System32\loader_name.exe"
    The worm attempts to terminate various security programs and other worms, i.e. Netsky. It opens a backdoor on TCP port 1234, which allows the infected computer to be an email relay.

    It attempts to copy itself in any folder with the characters SHAR with the following file names:
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe
    The SHAR folders are often used in peer-to-peer (P2P) filesharing programs such as KaZaa, Bearshare, Limeware, etc.

    FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

     

     

    W32/Lovgate.ad@MM
    July 2, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4372 (released 7/2/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_126560.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.9, updated 7/2/2004)

    July 2, 2004 3:20 pm HST

    McAfee (note name change from NAI) has raised the threat level of W32/Lovgate.ad@MM to MEDIUM due to increased prevalence. VirusScan DAT 4372 has been released to detect this threat and posted to UH repositories. Please update your McAfee VirusScan DAT as soon as possible using the manual "Update Now"method.

    This variant exploits the RPC Buffer Overflow vulnerability (MS03-026, superceded by MS03-039 patch). MS03-039 patch is available at http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx. Please make sure to patch your systems for this vulnerability.

    W32/Lovgate.ad@MM is an email worm (152,064 bytes) with these characteristics:

    • drops a backdoor component (detected as BackDoor-AQJ)
    • attempts to copy itself to accessible or poorly secured remote shares (with weak passwords), scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
    • creates a share on the victim machine (share name "MEDIA").
    • mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. The zipped archive contains a copy of the worm with a COM, EXE, PIF or SCR extension.
    • the worm replies to unread messages in Microsoft Outlook and Outlook Express inboxes and deletes the messages after responding to them.
    • performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .ZMX extension) on mapped network drives.
    • terminates processes associated with various AV and security products.
    This variant also uses the RPC Interface Buffer Overflow vulnerability (MS03-026, superceded by the MS03-039 patch) in order to infect other machines on the network. MS03-039 patch is available at http://www.microsoft.com/technet/security/bulletin/MS03-039.mspx.

    EMAIL PROPAGATION

    The virus responds to unread messages in Microsoft Outlook and Outlook Express inboxes and deletes the messages after responding to them.

    Subject: Re: Original subject

    Body:

    ======
    original message body
    ======
    Mail auto-reply:

    If you can keep your head when all about you
    Are losing theirs and blaming it on you;
    If you can trust yourself when all men doubt you,
    But make allowance for their doubting too;
    If you can wait and not be tired by waiting,
    Or, being lied about,don't deal in lies,
    Or, being hated, don't give way to hating,
    And yet don't look too good, nor talk too wise;
    ... ... more look to the attachment.

    > Get your FREE YAHOO.COM Mail now! <

    It also constructs messages using its own SMTP engine.

    Subject: (one of the following)
    • hi
    • hello
    • Hello
    • Mail transaction Failed
    • mail delivery system
    Body: (one of the following)
    • Mail failed. For further assistance, please contact!
    • The message contains Unicode characters and has been sent as a binary attachment.
    • It's the long-awaited film version of the Broadway hit. The message sent as a binary attachment.
    Attachment: (random strings with EXE, PIF, SCR, ZIP extensions)

    NETWORK PROPAGATION

    The worm attempts to connect to remote shares (IPC$ and ADMIN$), using a list of usernames and passwords it carries. If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:
    • ADMIN$\SYSTEM32\NETMANAGER.EXE
    and remotely executing it as a service. The service bears the following characteristics:
      Display name: Windows Management NetWork Service Extensions
      ImagePath: NetManager.exe -exe_start
      Startup: Automatic
    It will attempt to gain access to computers on the network by logging in as an Administrator and using a list of common or simple passwords.

    It creates a network share, "Media," and drops the following files into C:\%Windir%\Media\
    • WinRAR.exe
    • Internet Explorer.bat
    • Documents and Settings.txt.exe
    • Microsoft Office.exe
    • Windows Media Player.zip.exe
    • Support Tools.exe
    • Window
    • Update.pif
    • Cain.pif
    • MSDN.ZIP.pif
    • autoexec.bat
    • findpass.exe
    • client.exe
    • i386.exe
    • winhlp32.exe
    • xcopy.exe
    • mmc.exe
    RPC DCOM EXPLOIT

    When the worm is initially executed it drops 2 files (61,440 bytes) into the %WinDir%\System32\ folder as:
    • SPOLLSV.EXE (detected as W32/Lovgate.x@MM).
    • NETMEETING.EXE (detected as W32/Lovgate.x@MM).
    These files are FTP server components which run a script to download a file called HXDEF.EXE which is a copy of the worm itself. The worm is automatically executed after it has been downloaded.

    The following Registry key is created to that Netmeeting.exe is executed at startup:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "Microsoft NetMeeting Associates, Inc." = NetMeeting.exe
    SYMPTOMS

    When the worm is executed, various files are dropped on the system. The following are copies of the worm (152,064 bytes):
    • %WinDir%\System32\IEXPLORE.EXE
    • %WinDir%\System32\KERNEL66.DLL
    • %WinDir%\System32\RAVMOND.exe
    • %WinDir%\System32\HXDEF.EXE
    • %WinDir%\System32\UPDATE_OB.EXE
    • %WinDir%\System32\TKBELLEXE.EXE
    • %WinDir%\SYSTRA.EXE
    • %WinDir%\SVCHOST.EXE.EXE
    • C:\COMMAND.EXE
    The following DLLs are also dropped (all identical). This is the remote access component, (detected as BackDoor-AQJ):
    • %WinDir%\System32\MSJDBC11.DLL
    • %WinDir%\System32\MSSIGN30.DLL
    • %WinDir%\System32\ODBC16.DLL
    • %WinDir%\System32\LMMIB20.DLL
    The following Registry keys are added in order to run the worm at system startup:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\ CurrentVersion\Windows "run" = RAVMOND.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Hardware Profile" = %SysDir%\HXDEF.EXE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "WinHelp" = %SysDir%\IEXPLORE.EXE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Program In Windows" = %SysDir%\IEXPLORE.EXE
    The following Registry key is created so that the worm starts an additional Service.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ runServices "SystemTra" = %WinDir%\SYSTRA.EXE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ runServices "COMM++System" = %WinDir%\SVCHOST.EXE
    The following keys are added to run the backdoor component at system startup:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "VFW Encoder/Decoder Settings" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Protected Storage" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
    The backdoor component is also installed as two services on the victim machine, the services bearing the following characteristics:
      Service 1
      Display name: _reg
      ImagePath: Rundll32.exe msjdbc11.dll ondll_server
      Startup: automatic

      Service 2,br> Display name: Windows Management Protocol v.0 (experimental)
      Description: Windows Advanced Server. Performs scheduled scans for LANguard.
      ImagePath: Rundll32.exe msjdbc11.dll ondll_server
      Startup: automatic

     

     

    BackDoor-AXJ
    (aka Backdoor.Berbew (NAV))
    June 25, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Low-Profiled
    Minimum VirusScan DAT: 4370 (released 6/25/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_100488.htm

    June 25, 2004

    Media attention has been given to several commercial IIS websites being hacked recently to serve exploit script code that results in the new variant BackDoor-AXJ and other trojans being installed on victim computers. Users browsing the compromised websites, using Internet Explorer, get infected when unsolicited files are downloaded and executed on their computer.

    For further details about vulnerable IIS servers and IE clients, see http://www.microsoft.com/security/incident/download_ject.mspx

    Once running on the victim's computer, the trojan acts as a web proxy, can check remote server for updates, and logs cached passwords on the victim computer (for sending to the hacker).

    This remote access trojan installs itself in the default Windows system directory (e.g. C:\WINNT\SYSTEM32) with a random 8-character filename and drops a DLL with a random 8-character filename. For example,

    C:\WINNT\SYSTEM32\OQLCINEI.EXE (39,140 bytes - copy of trojan)
    C:\WINNT\SYSTEM32\BAGMBBPJ.DLL (5,633 bytes - dropped DLL)

    Two ports (exact port numbers vary between variants) are opened on the victim machine. One port is used for the web proxy, the other for communication. Ports observed in samples include: 7714, 8546, 12334, and 12324.

    Notification is sent to the hacker via HTTP, sending data to a remote PHP script. Data includes IP of the computer and port numbers opened. An "identification string" is also sent.

    The following registry key is created so the trojan runs when you start Windows:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79FA9088-19CE-715D-D85A-216290C5B738}\ InProcServer32
      • Value (Default) is added to the registry key and set to the dropped .DLL filename.
      • Value "ThreadingModel"="Apartment" is also added to the registry key.
    Value "Web Event Logger"="{79FA9088-19CE-715D-D85A-216290C5B738}" is added to the following registry key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
    so the DLL file is loaded when you start Windows. The trojan patches the contents of the dropped DLL file by writing its own filename into it so the DLL file knows the name of the executable file and can run it.

    It attempts to access the password cache (includes modem and dial-up passwords, URL passwords, share passwords, and others) on the local computer.

    The Trojan may use the following files to log the passwords and to store downloaded configuration data:
      %System%\NtXgl16.dat
      %System%\NtXgl16.vxd
      %System%\NtXgl16.sys
    It attempts to intercept any entered data in active windows. It intercepts contents from the clipboard. It may target Internet bank accounts to steal login information.

    To effectively intercept entered data, the Trojan wants a user to specifically enter the login details. For this purpose, it attempts to disable password caching and to disallow Autocomplete, by setting the following registry values:

    "FormSuggest Passwords"="yes"
    "FormSuggest PW Ask"="yes"
    "Use FormSuggest"="yes"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

     

     

    Exploit-MhtRedir.gen
    June 25, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Low-Profiled
    Minimum VirusScan DAT: 4370 (released 6/25/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_101033.htm

    June 25, 2004

    Media attention has been given to several commercial IIS websites being remotely hacked recently. Exploit-MhtRedir.gen was used to redirect the user's web browser to the location http://217.107.218.147 containing an infected web page that caused un solicited files to be downloaded and executed.

    For further details about vulnerable IIS servers and IE clients, see http://www.microsoft.com/security/incident/download_ject.mspx

    The exploit results in a CHM (Microsoft Compiled Help) file being written to the local system allowing for additional exploit code to then execute the downloaded file.

    The end result is the execution of arbitrary code at the permission level of the current user.

     

     

    JS/Exploit-DialogArg.bJ
    June 25, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Low-Profiled
    Minimum VirusScan DAT: 4370 (released 6/25/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_126241.htm

    June 25, 2004

    Media attention has been given to several commercial IIS websites being remotely hacked recently. Code containing the JS/Exploit-DialogArg.b exploit is appended to files (e.g. html, .txt, .gif) in the webfolder of the compromised IIS web server which caus es unsolicited files to be downloaded and executed on the user's computer. Users are infected when they access these infected web pages with their Internet Explorer web browser.

    For further details about vulnerable IIS servers and IE clients, see http://www.microsoft.com/security/incident/download_ject.mspx

     

     

    W32/Zafi.b@MM
    June 14, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4366 (released 6/14/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_126242.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.8, updated 6/14/2004)

    June 14, 2004 9:00 a.m. HST - NAI has raised the risk of W32/Zafi.b@MM to MEDIUM due to increased prevalence.

    W32/Zafi.b@MM spreads via mass email with .EXE, .COM, or .PIF attachments (12,800 bytes) and P2P (peer-to-peer) filesharing, copying itself to folders with SHARE or UPLOAD in the folder name. The worm overwrites executables in directories of anti-virus an d personal firewall software with a copy of itself. It terminates processes with strings containing REGEDIT, MSCONFIG, and TASK.

    The infected email message arrives with a spoofed FROM address. It uses its own SMTP engine to construct messages,in various languages, depending on the top level domain of the recipient's address. For example, user with a .COM email address will receive a message in English, while someone with a .DE email address will receive a message in German.

    Some English examples are:

    To: jennifer
    Subject: You`ve got 1 VoiceMessage!
    Attachment: "link.voicemessage.com.listen.index.php1Ab2c.pif"
    Body:
    Dear Customer! You`ve got 1 VoiceMessage from voicemessage.com website! Sender: You can listen your Virtual VoiceMessage at the following link: http://virt.voicemessage.com/index.listen.php2=35affv or by clicking the attached link. Send VoiceMessage! Try our new virtual VoiceMessage Empire! Best regards: SNAF.Team (R).

    To: jennifer
    Subject: Don`t worry, be happy!
    Attachment: "www.ecard.com.funny.picture.index.nude.php356.pif"
    Body:
    Hi Honey! I`m in hurry, but i still love ya... (as you can see on the picture) Bye - Bye:

    To: david
    Subject: Check this out kid!!!
    Attachment: "jennifer the wild girl xxx07.jpg.pif"
    Body:
    Send me back bro, when you`ll be done...(if you know what i mean...) See ya,

    In addition to these messages, the worm may also arrive with a random attachment name using one of the following extensions: .COM, .EXE, .PIF.

    The worm harvest email messages from the local hard drive and stores them in five files in the SYSTEM32 folder using random names and the .DLL file extension.

    C:\WINNT\system32\kenbdplk.dll
    C:\WINNT\system32\zibscdes.dll
    C:\WINNT\system32\qfafsxoz.dll
    C:\WINNT\system32\zhzukrhp.dll
    C:\WINNT\system32\sdxsuwxt.dll

    References to these files are stored in the following Registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\_Hazafibb

    When executed, the worm copies itself twice to the default Windows SysTEM32 folder using a random name with a .EXE and .DLL extension.

    For example,
    C:\WINNT\system32\jrbtgmqi.exe
    C:\WINNT\system32\enfrbatm.dll

    It creates a Registry key so the file gets executed every time the system starts:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "_Hazafibb" = %windir%\System32\jrbtgmqi.exe

    P2P Propagation

    The worm copies itself to directories on the c: drive containing the string SHARE or UPLOAD using the following filenames:

    • Total Commander 7.0 full_install.exe
    • winamp 7.0 full_install.exe
    Windows ME/XP users (special removal instructions):
    Windows ME/XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must temporarily disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to dis able System Restore. You may enable System Restore once the viruses have been cleaned or deleted.

     

     

    W32/Lovgate.ab@MM
    May 18, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4361 (released 5/18/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_125301.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.7, updated 5/18/2004)

    March 18, 2004 6:30 pm HST - NAI has raised the risk of W32/Lovgate.ab@MM to MEDIUM due to increased prevalence.

    W32/Lovgate.ab@MM is a mass mailing and network worm with these characteristics:

    • drops a backdoor component
    • attempts to copy itself to remote shares with weak passwords, scanning contiguous IP ranges, seeking accessible IPC$ or ADMIN$ shares.
    • creates a share on the victim machine (share name "MEDIA").
    • mails itself, constructing message uses its own SMTP engine. Email attachment may be a ZIP archive. Additionally, mails may be sent in reply to email messages found on the victim machine (MAPI).
    • performs companion virus infection of EXE files (replacing original file with a copy of itself, and renaming original with a .ZMX extension).
    • terminates processes associated with various AV and security products
    To help protect against the spread of W32/Lovgate and similar worms:
    • disable file and printer sharing, unless you need to share resources
    • all shares need a strong password (i.e. combination of upper, lower case, numbers and special characters); do not leave the password blank
    • map network drives only as needed
    • limit/specify which accounts can connect to your shares
    Email Component

    W32/Lovgate.ab@MM arrives in email with the following characteristics:

    FROM: spoofed or using harvested email addresses or using random characters or constructed from a list of common first names with the domain attached.

    For example,
    • adam
    • alex
    • alice
    • andrew
    • anna
    • bill
    • bob
    • brenda
    • brent
    • brian
    • claudia
    • dan
    • dave
    • david
    • debby
    • fred
    • george
    • helen
    • jack
    • james
    • jane
    • jerry
    • jim
    • jimmy
    • joe
    • john
    • jose
    • julie
    • kevin
    • leo
    • linda
    • maria
    • mary
    • matt
    • michael
    • mike
    • peter
    • ray
    • robert
    • sam
    • sandra
    • serg
    • smith
    • stan
    • steve
    • ted
    • tom
    Attachment: The worm may be attached with one of the following file extensions:
    • EXE
    • SCR
    • PIF
    • CMD
    • BAT
    Additionally, the attachment may be a copy of the worm within a ZIP archive (with either a RAR or ZIP extension). In this case, the worm within the archive may have a double extension, which may contain many spaces (eg. .HTM .EXE).

    *** The worm can also reply to unread messages in Microsoft Outlook and Outlook Express inboxes (using MAPI). It deletes the original messages after replying to them. These messages have the following characteristics:

    Subject: Re: (original subject)

    Attachment: Can be any of the following:
    • the hardcore game-.pif
    • Sex in Office.rm.scr
    • Deutsch BloodPatch!.exe
    • s3msong.MP3.pif
    • Me_nude.AVI.pif
    • How to Crack all gamez.exe
    • Macromedia Flash.scr
    • SETUP.EXE
    • Shakira.zip.exe
    • dreamweaver MX (crack).exe
    • StarWars2 - CloneAttack.rm.scr
    • Industry Giant II.exe
    • DSL Modem Uncapper.rar.exe
    • joke.pif
    • Britney spears nude.exe.txt.exe
    • I am For u.doc.exe
    Symptoms
    When the worm is executed, it copies itself (108,554 bytes) on the local hard drive as:
    • %SysDir%\IEXPLORE.EXE
    • %SysDir%\KERNEL66.DLL
    • %SysDir%\RAVMOND.exe
    • %WinDir%\SYSTRA.EXE
    • C:\COMMAND.EXE
    The following DLLs (the remote access component) are dropped:
    • %SysDir%\MSJDBC11.DLL
    • %SysDir%\MSSIGN30.DLL
    • %SysDir%\ODBC16.DLL
    • %SysDir%\LMMIB20.DLL
    The following Registry keys are added in order to run the worm at system startup:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\ CurrentVersion\Windows "run" = RAVMOND.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Program In Windows" = %SysDir%\IEXPLORE.EXE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ runServices "SystemTra" = %WinDir%\SYSTRA.EXE
    The following keys are added to run the backdoor component at system startup:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "VFW Encoder/Decoder Settings" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "Protected Storage" = RUNDLL32.EXE MSSIGN30.DLL ondll_reg
    The backdoor component is also installed as two services on the victim machine, the services bearing the following characteristics:

    Service 1
    Display name: _reg
    ImagePath: Rundll32.exe msjdbc11.dll ondll_server
    Startup: automatic

    Service 2
    Display name: Windows Management Protocol v.0 (experimental)
    Description: Windows Advanced Server. Performs scheduled scans for LANguard.
    ImagePath: Rundll32.exe msjdbc11.dll ondll_server
    Startup: automatic

    The following Registry keys house the services information:
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_reg
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Windows Management Protocol v.0 (experimental)
    A copy of the worm in a ZIP archive (which may itself have a .ZIP or .RAR extension) may also be dropped to the root of local and mapped drives. The archive will contain a copy of the worm with a COM, EXE, PIF or SCR extension. The archive may have variou s filenames, for example:
    • password
    • email
    • book
    • letter
    • bak
    • work
    • Important
    Peer-to-Peer (P2P) Folder Propagation
    The worm copies itself to directories using shared folders commonly used by P2P applications such as KaZaa and Limeware. It copies itself using the following filenames:
    • Thank you.doc.exe
    • 3D Flash Animator.rar.bat
    • SWF Browser2.93.txt.exe
    • Download.exe
    • Panda Crack.zip.exe
    • WinRAR V3.2.0 Beta 2.exe
    • Swish2.00.pif
    • AAdobe Photoshop7.0 creak.pif
    • You_Life.JPG.pif
    • CloneCD crack.exe
    • WinZip v9.0 Beta Build 5480 crack.exe
    • Real-DRAW PRO v3.10.exe
    • Star Wars Downloader.exe
    • HyperSnap-DX v5.20.01.exe
    • Adobe Photoshop6.0.zip.exe
    • HyperSnap-DX v4.51.01.exe
    Network Propagation
    The worm attempts to connect to remote shares (IPC$ and ADMIN$), using a list of usernames and passwords it carries. If the worm is able to copy itself to remote shares, it attempts to execute itself remotely. It does this by copying itself as:

    ADMIN$\SYSTEM32\NETMANAGER.EXE

    and remotely executing it as a service. The service bears the following characteristics:

    Display name: Windows Management NetWork Service Extensions
    ImagePath: NetManager.exe -exe_start
    Startup: Automatic

    The worm replaces EXE files on mapped network drives with a copy of itself and renames the original file with a .ZMX extension.

    Windows ME/XP users (special removal instructions):
    Windows ME/XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must temporarily disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to dis able System Restore. You may enable System Restore once the viruses have been cleaned or deleted.

     

     

    W32/Bagle.ab@MM
    (aka W32.Beagle.x@MM)
    May 10, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4359 (released 5/10/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_125089.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.6, updated 5/10/2004)

    NAI has raised the threat level of new variant, W32/Bagle.ab@MM, to MEDIUM to due increased prevalence.

    W32/Bagle.ab@MM arrives via email with a spoofed FROM address and various possible attachments (with garbage appended). It has its own SMTP engine to construct email messages and harvests email addresses from files on the local system.

    It opens TCP port 2535 on the victim computer, allowing remote access.

    The worm is also spread via files on shared folders with the phrase SHAR used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limeware, etc.

    When the worm is executed, a false error message will be displayed:



    This is a mass-mailing worm with the following characteristics:

    • contains its own SMTP engine to construct outgoing messages
    • harvests email addresses from the victim machine
    • the From: address of messages is spoofed
    • attachment can be a password-protected zip file, with the password included in the message body.
    • contains a remote access component (TCP port 2535 is opened)
    • copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

    The worm arrives in email with these characteristics:

    FROM: (spoofed)

    SUBJECT: (one of the following)
    • Re: Msg reply
    • Re: Hello
    • Re: Yahoo!
    • Re: Thank you!
    • Re: Thanks :)
    • RE: Text message
    • Re: Document
    • Incoming message
    • Re: Incoming Message
    • RE: Incoming Msg
    • RE: Message Notify
    • Notification
    • Changes..
    • New changes
    • Hidden message
    • Fax Message Received
    • Protected message
    • RE: Protected message
    • Forum notify
    • Site changes
    • Re: Hi
    • Encrypted document
    Body Text: Various strings constructed by the worm's own SMTP engine

    If the attachment is a ZIP file, then the Body will contain one of the following messages:
    • For security reasons attached file is password protected. The password is
    • For security purposes the attached file is password protected. Password --
    • Note: Use password
    • Attached file is protected with the password for security reasons. Password is
    • In order to read the attach you have to use the following password:
    • Archive password:
    • Password
    • Password:
    followed by a copy of an image file dropped as drvddll.exeopenopen.

    If the attachment is not a ZIP file, the Body will be blank.

    ATTACHMENT: (one of the following)
    • Information
    • Details
    • text_document
    • Readme
    • Document
    • Info
    • the_message
    • Details
    • MoreInfo
    • Message
    • You_will_answer_to_me
    • Half_Live
    • Counter_strike
    • Loves_money
    • the_message
    • Alive_condom
    • Joke
    • Toy
    • Nervous_illnesses
    • Manufacture
    • You_are_dismissed
    • Your_complaint
    • Your_money
    • Smoke
    • I_search_for_you
    with one of the following file extensions:
      Script dropper - using one of the following file extensions:
      • HTA
      • VBS
    • Executable, using one of the following file extensions:
      • exe
      • scr
      • com
      • cpl
    • Executable dropper, CPL file with .CPL file extension.
    The executable using an icon that looks like an envelope.


    The CPL file uses an icon that looks like 2 gears.


    The virus copies itself in the Windows System directory as DRVDDLL.EXE.

    For example, c:\winnt\system32\drvddll.exe.

    It also creates other files in the Windows System directory:
    • DRVDDLL.EXEOPEN (copy of the worm)
    • DRVDDLL.EXEOPENOPEN (copy of the worm)
    A copy of the worm, CPLSTUB.EXE, is dropped in the Windows directory.

    The worm adds the following Registry key to hook the system on startup:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "drvddll.exe" = C:\WINNT\SYSTEM32\drvddll.exe
    The worms attempts to terminate anti-virus, security and Windows programs, such as regedit.exe.

    The virus listens on TCP port 2535 for remote connections. It attempts to notify the author that the infected system is ready to accept commands, by contacting various websites, calling a PHP script on the remote sites (mostly in Germany).

    It copies files (containing the worm) to folders with the phrase SHAR, which is commonly used in peer-to-peer filesharing programs like KaZaa, Bearshare, Limeware, etc.
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe

    For Windows ME/XP users:

    Windows ME/XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

     

     

    W32/Gaobot.worm.ali
    May 4, 2004

    Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Low
    Minimum VirusScan DAT: 4358 (released 5/5/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http://vil.nai.com/vil/content/v_125006.htm

    W32/Gaobot.worm.ali appears to be the first Gaobot (aka Agobot) variant that exploits the MS04-011 (LSASS vulnerability). Although this virus is rated LOW (depends on an IRC server which is no longer available), it is presumed that other more functional v ariants will soon follow. DAT 4358 is scheduled for release on May 5, 2004.

    Note: this variant has been detected at one of the UH Community Colleges and UH Manoa and may be confused with the Sasser worm (which also shuts down and restarts computers).

    *** Important: if you have not already patched your Windows system (Windows NT, Windows 2000, Windows XP, Windows server 2003), please do so ASAP. Go to http://windowsupdate.microsoft.com, click on scan for updates, and install all critical updates. Windows Update should be done regularly, at least once or twice a month.

    You can also get the MS04-011 (KB835732) patch from http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.

    Unless you patch your Windows, your system will get infected (or reinfected even after you clean your virus infection). You MUST patch your system; running Stinger or scanning all files on your hard drive is NOT sufficient.

    For maximum protection against the Gaobot family (more than 900 variants), users are recommended to:

    • use the latest engine/DATs combination
    • ensure the scanning of compressed files is enabled
    • keep Windows systems patched by using Windows Update ensure weak username/passwords are not used (use upper, lower case, numbers and special characters; don't use dictionary passwords)
    • run a personal desktop firewall application
    The virus contains lots of remote access functionality, including:
    • Create/Remove services
    • Denial of service attack
    • FTP/HTTP functions (upload, download files, etc)
    • IRC functions
    • Retrieve system information (RAM, CPU, Disk Space)
    • Secure/insecure Windows shares
    • Shutdown/reboot/logoff computer
    • Sniffer
    • Steal CD and product keys for various products
    • Terminate running processes
    When run, this virus copies itself to the Windows System directory (c:\winnt\system32 or c:\windows\system32) as msiwin84.exe and creates several registry run keys in order to load itself at system startup.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "Microsoft Update" = msiwin84.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunServices "Microsoft Update" = msiwin84.exe
    The virus attempts to run a speed test for Internet connectivity by contacting various web sites.

    The virus attempts to connect to an Internet Relay Chat server (TCP Port 6667) to allow for a remote attack to send commands to the infected system:
    • malalala.bin-laden.cc
    This threat is reliant upon connecting to this IRC server, and receiving spread commands in order to propagate. At the time of this writing, the DNS entry for this domain has been set to 0.0.0.0, therefore crippling this threat.

    Infected systems list on two random TCP ports, which are control ports for attackers to exploit.

    The local HOSTS file (%SysDir%\drivers\etc\hosts) is overwriten to block access to various anti-virus and security web sites (note this file is detected with current DAT files as Qhosts.apd).

    It also attempts to terminate anti-virus, security, other viruses and Windows programs, e.g. regedit.exe.

    The worm spreads via accessible or poorly secured network shares. It has a list of commonly used username/password combinations.

    For Windows ME/XP users:

    Windows ME/XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

     

     

    W32/Sasser.worm.d
    May 4, 2004

    Platform: Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4357 (released 5/4/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_125012.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.5, updated 5/4/2004)

    May 4, 2004 - NAI has raised the risk of W32/Sasser.worm.d to MEDIUM due to increased prevalence.

    W32/Sasser.worm.d is an Internet worm that spreads via the network, exploiting unpatched Windows systems with the vulnerability described in Microsoft Security Bulletin MS04-011 ( KB835732). This worm doesn't spread via email. No user intervention is required to become infected or to propagate the worm further. The worm instructs vulnerable systems to download and the execute the viral code.

    Windows NT, Windows 2000, Windows XP and Windows server 2003 users must patch their system for the MS04-011 LSASS vulnerability to prevent infection (and reinfection). Go to http://windowsupdate.microsoft.com, scan for updates, and install all critical updates. The patch is also available at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.

    Note: the Sasser worm can run on (but not infect) Windows 95/98/ME computers. These systems can be used to infect other vulnerable systems.

    W32/Sasser.worm.d functions similarly as the original variant, with the following exceptions:

    • This variant spreads with the filename SKYNETAVE.EXE (16,384 bytes)
    • It sends ICMP echo packets to discover potential victims
    • It creates a remote shell on TCP Port 9995 rather than 9996
    The worm spreads with filename skynetave.exe (16,384 bytes). It copies itself to the Windows directory and creates a registry key to load itself on startup:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "skynetave.exe" = C:\WINDOWS\skynetave.exe
    The worm scans random ip addresses for exploitable systems, using successive TCP ports starting at 1068. When it finds a vulnerable system, it causes a buffer overflow in LSASS.EXE. It creates a remote shell on TCP port 9995 and creates an FTP script name d cmd.ftp on the remote host and executes it. The FTP script instructs the target system to download and execute the worm (filename #_upd.exe) from the infected host. The infected host accepts FTP traffic on TCP port 5554.

    A file named win2.log is created on the root of the C: drive. This file contains an IP address and the number of computers infected.

    Copies of the worm are created in the Windows System directory as #_up.exe where # is a 4- or 5-digit number.

    Examples
    • c:\WINDOWS\system32\26347_up.exe
    • c:\WINDOWS\system32\5157_up.exe
    A side-effect of the worm is for LSASS.EXE to crash; by default the system will reboot after the crash occurs.

    You may get the following windows when LSASS.EXE crashes:




    The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The worm scans private IPs such as 10.0.0.0 and 192.168.0.0 only if they are part of the local subnet. The des tination port is TCP 445.

    For Windows XP users:

    Windows XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the Sy stem Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Res tore.

     

     

    W32/Sasser.worm.b
    May 3, 2004

    Platform: Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4356 (released 5/2/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_125008.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.4, updated 5/2/2004)

    May 2, 2004 - NAI has raised the risk of W32/Sasser.worm.b to MEDIUM due to increased prevalence.

    W32/Sasser.worm.b is an Internet worm that spreads via the network, exploiting unpatched Windows systems with the vulnerability described in Microsoft Security Bulletin MS04-011 ( KB835732). This worm doesn't spread via email. No user intervention is required to become infected or to propagate the worm further. The worm instructs vulnerable systems to download and the execute the viral code.

    Windows NT, Windows 2000, Windows XP and Windows server 2003 users must patch their system for the MS04-011 vulnerability to prevent infection (and reinfection). Go to http://windowsupdate.microsoft.com, sc an for updates, and install all critical updates. The patch is also available at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.

    Note: the Sasser worm can run on (but not infect) Windows 95/98/ME computers. These systems can be used to infect other vulnerable systems.

    The worm spreads with filename aserve2.exe (15,872 bytes). It copies itself to the Windows directory and creates a registry key to load itself on startup:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "avserve2.exe" = C:\WINDOWS\avserve2.exe
    The worm scans random ip addresses for exploitable systems, using successive TCP ports starting at 1068. When it finds a vulnerable system, it causes a buffer overflow in LSASS.EXE. It creates a remote shell on TCP port 9996 and creates an FTP script name d cmd.ftp on the remote host and executes it. The FTP script instructs the target system to download and execute the worm (filename #_upd.exe) from the infected host. The infected host accepts FTP traffic on TCP port 5554.

    A file named win2.log is created on the root of the C: drive. This file contains an IP address.

    Copies of the worm are created in the Windows System directory as #_up.exe.

    Examples
    • c:\WINDOWS\system32\11583_up.exe
    • c:\WINDOWS\system32\16913_up.exe
    • c:\WINDOWS\system32\29739_up.exe
    A side-effect of the worm is for LSASS.EXE to crash; by default the system will reboot after the crash occurs.

    You may get the following windows when LSASS.EXE crashes:




    The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445.

    For Windows XP users:

    Windows XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the Sy stem Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Res tore.

     

     

    W32/Sasser.worm.a
    May 3, 2004

    Platform: Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4355 (released 5/1/2004)
    Updated VirusScan DAT: 4356 (released 5/2/2004)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_125007.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.4, updated 5/2/2004)

    May 1, 2004 - NAI raised the risk of W32/Sasser.worm.a to MEDIUM due to increased prevalence.

    W32/Sasser.worm.a is an Internet worm that spreads via the network, exploiting unpatched Windows systems with the vulnerability described in Microsoft Security Bulletin MS04-011 ( KB835732). This worm doesn't spread via email. No user intervention is required to become infected or to propagate the worm further. The worm instructs vulnerable systems to download and the execute the viral code.

    Windows NT, Windows 2000, Windows XP and Windows server 2003 users must patch their system for the MS04-011 vulnerability to prevent infection (and reinfection). Go to http://windowsupdate.microsoft.com, sc an for updates, and install all critical updates. The patch is also available at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.

    Note: the Sasser worm can run on (but not infect) Windows 95/98/ME computers. These systems can be used to infect other vulnerable systems.

    The worm spreads with filename aserve.exe (15,872 bytes). It copies itself to the Windows directory and creates a registry key to load itself on startup:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
    The worm scans random ip addresses for exploitable systems, using successive TCP ports starting at 1068. When it finds a vulnerable system, it causes a buffer overflow in LSASS.EXE. It creates a remote shell on TCP port 9996 and creates an FTP script name d cmd.ftp on the remote host and executes it. The FTP script instructs the target system to download and execute the worm (filename #_upd.exe) from the infected host. The infected host accepts FTP traffic on TCP port 5554.

    A file named win.log is created on the root of the C: drive. This file contains the IP address of the local host.

    Copies of the worm are created in the Windows System directory as #_up.exe.

    Examples
    • c:\WINDOWS\system32\11583_up.exe
    • c:\WINDOWS\system32\16913_up.exe
    • c:\WINDOWS\system32\29739_up.exe
    A side-effect of the worm is for LSASS.EXE to crash; by default the system will reboot after the crash occurs.

    You may get the following windows when LSASS.EXE crashes:




    The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445.

    For Windows XP users:

    Windows XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the Sy stem Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Res tore.

     

     

    W32/Netsky.ab@MM
    April 28, 2004

    Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4354 (released 4/28/2004 9:25 am HST)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_124873.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.2, updated 4/28/2004)

    W32/Netsky.ab@MM variant has been raised to MEDIUM risk due to increased prevalence.

    W32/Netsky.ab@MM is spread via email, arriving from a spoofed or forged FROM address, and attachment with a PIF extension. Outgoing email messages are constructed using the virus' SMTP engine. Email addresses are harvested from files on the local computer .

    W32/Netsky.ab@MM arrives in email with the following characteristics:

    FROM: (spoofed, using one of the harvested email addresses)

    SUBJECT: (one of the following)

    • Correction
    • Hurts
    • Privacy
    • Password
    • Wow
    • Criminal
    • Pictures
    • Text
    • Money
    • Stolen
    • Found
    • Numbers
    • Funny
    • Only
    • love?
    • More
    • samples
    • Picture
    • Letter
    • Question
    • Illegal
    BODY: (one of the following)
    • Please use the font arial!
    • How can I help you?
    • Still?
    • I've your password.
    • Take it easy!
    • Why do you show your body?
    • Hey, are you criminal?
    • Your pictures are good!
    • The text you sent to me is not so good!
    • True love letter?
    • Do you have no money?
    • Do you have asked me?
    • I've found your creditcard.
    • Check the data!
    • Are your numbers correct?
    • You have no chance...
    • Wow! Why are you so shy?
    • Do you have more samples?
    • Do you have more photos about you?
    • Do you have written the letter?
    • Does it hurt you?
    • Please do not sent me your illegal stuff again!!!
    ATTACHMENT: (PIF extension with one of the following filenames)
    • corrected_doc.pif
    • hurts.pif
    • document1.pif
    • passwords02.pif
    • image034.pif
    • myabuselist.pif
    • your_picture01.pif
    • your_text01.pif
    • your_letter.pif
    • your_bill.pif
    • my_stolen_document.pif
    • visa_data.pif
    • pin_tel.pif
    • your_text.pif
    • loveletter02.pif
    • all_pictures.pif
    • your_letter_03.pif
    • your_picture.pif
    • abuses.pif
    The virus installs itself as CSRSS.EXE in the default Windows directory, e.g. c:\windows or c:\winnt.

    It adds a Registry key to hook the system on startup:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "BagleAV" = %WinDir%\CSRSS.EXE
    It sends DNS queries to one of the following hard-coded IP addresses:
    • 212.44.160.8
    • 195.185.185.195
    • 151.189.13.35
    • 213.191.74.19
    • 193.189.244.205
    • 145.253.2.171
    • 193.141.40.42
    • 193.193.144.12
    • 217.5.97.137
    • 195.20.224.234
    • 194.25.2.130
    • 194.25.2.129
    • 212.185.252.136
    • 212.185.253.70
    • 212.185.252.73
    • 62.155.255.16
    • 194.25.2.134
    • 194.25.2.133
    • 194.25.2.132
    • 194.25.2.131
    • 193.193.158.10
    • 212.7.128.165
    • 212.7.128.162

     

     

    W32/Bagle.aa@MM
    (aka W32.Beagle.x@MM)
    April 28, 2004

    Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium on Watch
    Minimum VirusScan DAT: 4354 (released 4/28/2004 9:25 am HST)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_124875.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.2, updated 4/28/2004)

    NAI has raised the threat level of new variant, W32/Bagle.aa@MM, to MEDIUM on Watch to due increased prevalence.

    W32/Bagle.aa@MM arrives via email with a spoofed FROM address and various possible attachments (with garbage appended). It has its own SMTP engine to construct email messages and harvests email addresses from files on the local system.

    The worm is also spread via files on shared folders with the phrase SHAR used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limeware, etc.

    When the worm is executed, a false error message will be displayed:


    The email message will have the following characteristics:

    FROM: (spoofed)

    SUBJECT: (one of the following)

    • Re: Msg reply
    • Re: Hello
    • Re: Yahoo!
    • Re: Thank you!
    • Re: Thanks :)
    • RE: Text message
    • Re: Document
    • Incoming message
    • Re: Incoming Message
    • RE: Incoming Msg
    • RE: Message Notify
    • Notification
    • Changes..
    • New changes
    • Hidden message
    • Fax Message Received
    • Protected message
    • RE: Protected message
    • Forum notify
    • Site changes
    • Re: Hi
    • Encrypted document
    Body Text: Various strings constructed by the worm's own SMTP engine

    If the attachment is a ZIP file, then the Body will contain one of the following messages:
    • For security reasons attached file is password protected. The password is
    • For security purposes the attached file is password protected. Password --
    • Note: Use password
    • Attached file is protected with the password for security reasons. Password is
    • In order to read the attach you have to use the following password:
    • Archive password:
    • Password
    • Password:
    followed by a copy of an image file dropped as drvddll.exeopenopen.

    If the attachment is not a ZIP file, the Body will be blank.

    Attachment: (one of the following)
    • Information
    • Details
    • text_document
    • Readme
    • Document
    • Info
    • the_message
    • Details
    • MoreInfo
    • Message
    • You_will_answer_to_me
    • Half_Live
    • Counter_strike
    • Loves_money
    • the_message
    • Alive_condom
    • Joke
    • Toy
    • Nervous_illnesses
    • Manufacture
    • You_are_dismissed
    • Your_complaint
    • Your_money
    • Smoke
    • I_search_for_you
    with one of the following file extensions:
      Script dropper - using one of the following file extensions:
      • HTA
      • VBS
    • Executable, using one of the following file extensions:
      • exe
      • scr
      • com
      • cpl
    • Executable dropper, CPL file with .CPL file extension.
    The executable using an icon that looks like an envelope.


    The CPL file uses an icon that looks like 2 gears.


    A file named CPLSTUB.EXE (copy of the worm) is dropped in the default Windows directory, e.g. c:\windows or c:\winnt.

    The following Registry key is added to hook system startup:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "drvddll.exe" = C:\WINNT\SYSTEM32\drvddll.exe
    The worm attempts to terminate anti-virus, security and Windows programs such as REGEDIT.EXE . See http://vil.nai.com/vil/content/v_124875.htm for complete list.

    It opens TCP port 2535 on the victim's computer and sends notification to the virus author that the computer is ready to accept remote commands, by calling a PHP script on remote web sites (mostly in Germany).

    It creates copies of itself in folders with the phrase shar (commonly used with peer-to-peer filesharing like KaZaa). The infected files will have the following filenames:
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe
    • ACDSee 9.exe
    For Windows ME/XP users:

    Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder. See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

     

     

    W32/Bagle.z@MM
    (aka W32.Beagle.W@MM)
    April 26, 2004

    Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
    Risk Assessment: Medium
    Minimum VirusScan DAT: 4353 (released 4/26/2004 11:50 am HST)
    Minimum VirusScan scan engine: 4.2.40
    For more information: http ://vil.nai.com/vil/content/v_122415.htm
    Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.1, updated 4/26/2004)

    NAI has raised the threat level of new variant, W32/Bagle.z@MM, to MEDIUM to due increased prevalence. Please update your McAfee VirusScan DAT to 4353 (released 4/26/04 11:50 am HST), using the manual updater method described at http://www.hawaii.edu/anti virus/howtoupdate.html.

    W32/Bagle.z@MM arrives via email with a spoofed FROM address and various possible attachments (with garbage appended). It has its own SMTP engine to construct email messages and harvests email addresses from files on the local system.

    The worm is also spread via files on shared folders with the phrase SHAR used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limeware, etc.

    When the worm is executed, a false error message will be displayed:


    The email message will have the following characteristics:

    FROM: (spoofed)

    It may use these address strings:

    • lizie@
    • annie@
    • ann@
    • christina@
    • secretGurl@
    • jessie@
    • christy@
    SUBJECT: (one of the following)
    • Hello!
    • Hey!
    • Let's socialize, my friend!
    • Let's talk, my friend!
    • I'm bored with this life
    • Notify from a known person ;-)
    • I like you
    • I just need a friend
    • I'm a sad girl...
    • Re: Msg reply
    • Re: Hello
    • Re: Yahoo!
    • Re: Thank you!
    • Re: Thanks :)
    • RE: Text message
    • Re: Document
    • Incoming message
    • Re: Incoming Message
    • Re: Incoming Fax
    • Hidden message
    • Fax Message Received
    • Protected message
    • RE: Protected message
    • Forum notify
    • Request response
    • Site changes
    • Re: Hi
    • Encrypted document
    Body Text: Various strings constructed by the worm's own SMTP engine

    Part 1:
    • I study at school, I like to spend time cheerfully even if not all so well, I hompe and trust, that all bad when nibud will pass and necessarily nastanet there would be a desire.
    • I like to feel protected, to understand, that near to me the man, which both in sex, and in life knows what to do. It is possible to fall in love with such the man for ever.
    • Cometime I write a poem, play the gitar. I love a traveling, I like a romantice and I want to meet, comeday, my big love!
    • I am kind, fair, careful, gentle also want to create family. I love animal (cats, dogs), the literature, theatre, cinema, music, walks in park
    • I very much love productive leisure, to prepare for new exotic dishes, at leisure to leave with friends on the nature, to float, I like to go for a drive on mountain skiing, to visit excursions, travel. Very easy going.
    • I have recently got demobilize from army and also I am going to act in a higher educational institution
    • Searching for the right person,for real man, who will really cares and love me.
    • I am a honest, kind,loving,with good sense of humor...etc.,looking for true love... or maybe for pen friend.I like cats
    • I am looking for a serious relationship. I am NOT interested in flirt and short-term love adventure.
    • I love, as the good company, and I dream about romantic appointment at candles with loved. I still believe in love.
    • I like an active life... and interesting people..
    • i am honest, responsible, romantic person. iwould like to find my only love,to find my destiny.
    • I'm a young lady of 20 years old i'd like to find my second part!!!
    • I am simple girl who are looking for serious relation with responsible and confident man. I am ready to give all my love and carering for a right person who is going to love and respect me
    • I am a beautiful, sexual girl with very big ambitions and dreams. I can make happy anyone man...
    • I am a student. I'm studying international relationships. I would like to find an interesting and active man for serious relations. Sitting at home it is not for me. I like to go out to the theater, cinema, and nightclubs.
    • I love productive leisure, to travel, communicate with friends.
    • I very much love new acquaintances, I love music, meetings with friends. I go on night clubs, except for parties I sometimes visit theatres and I love cinema. In general I only shall be glad to new acquaintance and class dialogue...
    • I'm so bored, let me talk with you...
    • You are my prince :-)
    • You are cool :-)
    Part 2:
    • Read the attach.
    • Your file is attached.
    • More info is in attach
    • See attach.
    • Please, have a look at the attached file.
    • See the attached file for details.
    • Message is in attach
    • Here is the file.
    • For more information see the attached file.
    • Attached file will tell you everything.
    • For details see the attach.
    • Attached file tells everything.
    • Further details are in attach.
    Part 3:
    • Sincerely,
    • Best wishes,
    • Yours,
    • Have a good day,
    • Cheers,
    • Kind regards,
    If the attachment is a password-protected ZIP file, one of the following is attached to the email:
    • For security reasons attached file is password protected. The password is [reference to image file]
    • For security purposes the attached file is password protected. Password -- [reference to image file]
    • Note: Use password [reference to image file] to open archive.
    • Attached file is protected with the password for security reasons. Password is [reference to image file]
    • In order to read the attach you have to use the following password: [reference to image file]
    • Archive password: [reference to image file]
    • Password - [reference to image file]
    • Password: [reference to image file]
    -------------------------------------
    Here is a sample message:

    Hello [NAME],

    [IMAGE]
    i am honest, responsible, romantic person. iwould like to find my only love,to find my destiny.

    For more information see the attached file.

    Attached file is protected with the password for security reasons.
    Password is [IMAGE]

    Best wishes, Annie

    -------------------------------------
    Attachment: (one of the following)
    • a script dropper with HTA or VBS extension
    • a password-protected ZIP file (with password in the message body)
    • an executable file with EXE, SCR, COM or CPL extensions
      • Information
      • Details
      • Readme
      • Document
      • Info
      • Details
      • MoreInfo
      • Message
    • executable dropper, CPL file with .CPL extension
    The executable using an icon that looks like 3 cherries.

    The CPL file uses an icon that looks like 2 gears.

    The virus copies itself into the Windows System directory as drvsys.exe. For example:
      C:\WINNT\SYSTEM32\drvsys.exe
    It also creates other files in this directory to perform its functions:
    • drvsys.exeopen (Copy of the worm)
    • drvsys.exeopenopen (Copy of the worm)
    The following Registry key is added to hook system startup:
      HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "drvsys.exe" = C:\WINNT\SYSTEM32\drvsys.exe
    The worm attempts to terminate anti-virus, security and Windows programs such as REGEDIT.EXE .

    It opens TCP port 2535 on the victim's computer and sends notification to the virus author that the computer is ready to accept remote commands, by calling a PHP script on remote web sites.

    It creates copies of itself in folders with the phrase shar (commonly used with peer-to-peer filesharing like KaZaa). The infected files will have the following filenames:
    • Microsoft Office 2003 Crack, Working!.exe
    • Microsoft Windows XP, WinXP Crack, working Keygen.exe
    • Microsoft Office XP working Crack, Keygen.exe
    • Porno, sex, oral, anal cool, awesome!!.exe
    • Porno Screensaver.scr
    • Serials.txt.exe
    • KAV 5.0
    • Kaspersky Antivirus 5.0
    • Porno pics arhive, xxx.exe
    • Windows Sourcecode update.doc.exe
    • Ahead Nero 7.exe
    • Windown Longhorn Beta Leak.exe
    • Opera 8 New!.exe
    • XXX hardcore images.exe
    • WinAmp 6 New!.exe
    • WinAmp 5 Pro Keygen Crack Update.exe
    • Adobe Photoshop 9 full.exe
    • Matrix 3 Revolution English Subtitles.exe

       

       

      W32/Netsky.s@MM
      April 6, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4348 (released 4/6/2004 9:00 am HST)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http ://vil.nai.com/vil/content/v_101156.htm
      Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.2.0, updated 4/6/2004)

      W32/Netsky.s@MM is spread via mass email with a spoofed FROM address and attachment with a .PIF extension (18,432 bytes). It gathers email addresses from files on drives C: through Z: (excluding CD-ROM drives). It has a backdoor component, opening TCP por t 6789 on the victim's computer, which facilitates downloading and execution of files. If the system date is between April 14-23, the worm launches a denial of service (DoS) attack on several web sites.

      The email arrives with the following characteristics:

      From: (spoofed or forged)

      Subject: (one of the following):

      • Hello!
      • Hi!
      • Re: Important
      • Important
      • Re: My details
      • My details
      • Re: Your information
      • Your information
      • Re: Your details
      • Your details
      • Re: Your document
      • Your document
      • Re: Request
      • Request
      • Re: Thanks you!
      • Thank you!
      • Re: Approved
      • Approved
      • Re: Hello
      • Re: Hi
      • Hello
      • Hi
      Body: various message bodies constructed from strings within the worm, using its own SMTP engine

      The first part is one of the following:
      • Hi!
      • Hello!
      The second part is one of the following, where %s is the attachment name:
      • Note that I have attached your document.
      • My %s.
      • The %s.
      • I have spent much time for the %s.
      • I have spent much time for your document.
      • Your %s.
      • Please notice the attached %s.
      • Please notice the attached document.
      • Please read quickly.
      • For more details see the attached document.
      • For more information see the attached document.
      • Approved, here is the document.
      • I have found the %s.
      • My %s is attached.
      • Your %s is attached.
      • Please, %s.
      • Your file is attached to this mail.
      • Please read the attached document.
      • Please have a look at the attached document.
      • See the document for details.
      • Here is the document.
      • The requested %s is attached!
      • I have sent the %s.
      • Please see the %s.
      • The %s is attached.
      • Here is the %s.
      • Please have a look at the %s.
      • Please read the %s.
      The third part is one of the following:
      • Yours sincerely
      • Thank you
      • Thanks
      The fourth part is one of the following:
      • +++ X-Attachment-Type: document
        +++ X-Attachment-Status: no virus found
        +++ Powered by the new Panda OnlineAntiVirus
        +++ Website: www.pandasoftware.com

      • +++ X-Attachment-Type: document
        +++ X-Attachment-Status: no virus found
        +++ Powered by the new MCAfee OnlineAntiVirus
        +++ Homepage: www.mcafee.com

      • +++ X-Attachment-Type: document
        +++ X-Attachment-Status: no virus found
        +++ Powered by the new F-Secure OnlineAntiVirus
        +++ Visit us: www.f-secure.com

      • +++ X-Attachment-Type: document
        +++ X-Attachment-Status: no virus found
        +++ Powered by the new Norton OnlineAntiVirus
        +++ Free trial: www.norton.com
      Attachment: .PIF extension, with filename from the following and a random number appended to it. For example, picture_document8.pif.
      • account
      • postcard
      • sample
      • developement
      • concept
      • story
      • report
      • icq_number
      • e-mail
      • phone_number
      • personal_message
      • photo_document
      • order
      • important_document
      • diggest
      • final_version
      • release
      • answer
      • bill
      • notice
      • requested_document
      • description
      • summary
      • picture_document
      • movie_document
      • approved_document
      • old_document
      • document
      • mail
      • letter
      • homepage
      • detailed_document
      • powerpoint_document
      • excel_document
      • word_document
      • info
      • information
      • text
      • new_document
      • textfile
      • user_list
      • improved_file
      • secound_document
      • file
      • number_list
      • contact_list
      • message
      • note
      • improved_document
      • details
      • instructions
      • presentation_document
      • abuse_list
      • archive
      • corrected_document
      • list
      • approved_file
      Here is an email sample of W32/Netsky.s@MM:


      Technical Information:

      The worm installs itself in the Windows directory as EASYAV.EXE.
      It adds a registry key to hook itself on startup:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "EasyAV" = %WinDir%\EASYAV.EXE
      It copies itself as UINMZERTINMDS.OPM (base-64 encoded) in the Windows directory.

      It opens TCP port 6789 on the infected computer and launches a denial of service (DoS) attack on the following websites, if the current system date is between April 13-24, 2004:
      • www.keygen.us
      • www.freemule.net
      • www.kazaa.com
      • www.emule.de
      • www.cracks.am
      The worm queries DNS at one of the following IPs:
      • 212.44.160.8
      • 195.185.185.195
      • 151.189.13.35
      • 213.191.74.19
      • 193.189.244.205
      • 145.253.2.171
      • 193.141.40.42
      • 194.25.2.134
      • 194.25.2.133
      • 194.25.2.132
      • 194.25.2.131
      • 193.193.158.10
      • 212.7.128.165
      • 212.7.128.162
      • 193.193.144.12
      • 217.5.97.137
      • 195.20.224.234
      • 194.25.2.130
      • 194.25.2.129
      • 212.185.252.136
      • 212.185.253.70
      • 212.185.252.73

       

       

      W32/Sober.f@MM
      April 5, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4347 (released 4/5/2004 9:00 am HST)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http ://vil.nai.com/vil/content/v_101154.htm
      Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.1.9, updated 4/4/2004)

      W32/Sober.f@MM is spread via mass email (written in English or German), by sending itself to email addresses harvested from files on the infected system. It does not use any exploits to automatically execute the attachment. Users must choose to open the attachment to get infected. Be careful when opening unexpected attachments.

      The email arrives with the following characteristics (English version listed):
      (German version of email is listed at http://vil.nai.com/vil/content/v_101154.htm.)

      FROM: (spoofed or forged)

      SUBJECT: (one of the following):

      • Bad Gateway
      • Best
      • Confirmation Required
      • Connection failed
      • damn!
      • Details
      • Hey
      • hey you
      • Hi!
      • Hi, it's me
      • Illegal signs in Mail-Routing
      • Info
      • Information
      • Mail delivery failed
      • Mail Delivery failure
      • mail delivery status
      • Mail Error
      • Message Error
      • Oh my God
      • Warning!
      • Well, surprise?!
      • Your document
      • Your mail account
      • Your mail-account
      • Your password
      Body: (one of the following)
      • I was surprised, too! :-(
        Who could suspect something like that?
        shock
      • All OK :)
        see, what i've found!
      • hi its me
        i've found a shity virus on my pc. check your pc, too!
        follow the steps in this article.
        bye
      • I 've told you!:-) sometime I grab your passwords!
        your_passwords
        I hope you accept the result!
      • Follow the instructions to read the message.
        Please read the document
      • Your password was changed successfully.
        Protected message is attached.
        ++++ Service: http://www.(domain name)
        ++++ Mail To: User-info
      • 67.28.114.32_failed_after_I_sent_the_message./
        Remote_host_said:_554_delivery_error:_dd_
        Sorry_your_message_cannot_be_delivered._
        This_account_has_been_disabled_or_discontinued_[#102]._-_mta134.mail.dcn.com
        ** End of Transmission
      • The original message is a separate attachment.
        --- Mail To: UserHelp
        Error_Info
        _attach
        Read the attachment for details.
        Bad Gateway: The message has been attached.
        +++ A service of
        +++ Mail: home
      • Database #Error
        -- Partial message is available!
        -- Error: llegal signs in Mail-Routing
        -- Mail Server: ESMTP VX32.9 Version Betha Alpha
      • Mail- Attachment: No suspicious Virus signatures
        Mail Scanner: No Virus found
        Anti-Virus: No Virus!
      ATTACHMENT: file with .PIF (30,720 bytes) or a .ZIP (30,866 bytes) extension
      One of the following names (filename may be preceded by random numbers and appended with _attach):
      • Administrator
      • AMD-System.txt
      • AntiVirus-Text
      • attach-message
      • AutoMailer
      • block-lists
      • check-this
      • corrected_text-file
      • database_partial
      • database
      • Error_info
      • error
      • error-message
      • help
      • instructions
      • message
      • Money_help
      • partial
      • pass-message
      • pmessage-text
      • RobotMailer
      • textdocument
      • User-info
      • webmaster
      • your_article
      • your-passwords

      Technical Information:

      When the worm is executed, it drops the following files in the default Windows System32 %system32% folder (c:\Windows\System or c:\WinNT\System32):
      • WINHEX32XX.WRM (58,156 bytes, MIME encoded copy of the worm)
      • WINSYS32XX.ZZP (58,374 bytes, MIME encoded ZIP including the worm)
      • SYST32WIN.DLL (varies, harvested email addresses)
      • SPOOFED_RECIPS.OCS (varies, harvested email addresses)
      • BCEGFDS.LLL (0 bytes)
      • ZHCARXXI.WX (0 bytes)
      • ZMNDPGWF.KXX (0 bytes)
      The worm copies itself to the %system32% folder using a filename constructed from the following strings: 32, crypt, data, diag, dir, disc, explorer, host, log, run, service, smss32, spool, sys, win. For example, WINSYSSERVICE.EXE or DISCDIRRUN.EXE.

      It creates a registry key to get itself started on system bootup:
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ [generated string] = C:\WINNT\System32\[generated string].exe
      Registry key is also created:
        HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [generated string]
      Once the computer has been infected, read-access to its file may be denied. Then VirusScan scanner will not be able to detect the file. If a computer is suspected of being infected, the following removal procedure is recommended:
      1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
      2. Run a system scan using the specified engine/DATs.
      3. Delete files flagged as infected
      4. Restart machine in default mode.

       

       

      W32/Netsky.q@MM
      March 29, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4345 (released 3/29/2004 6:30 am HST)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http ://vil.nai.com/vil/content/v_101145.htm
      Stinger Removal Tool: http://vil.nai.com/vil/stinger/(v2.1.8, updated 3/29/2004 HST)

      W32/Netsky.q@MM spreads via mass email and arrives with a spoofed or forged FROM address, variable subject, variable message body and variable attachment (28,008 bytes) with a .PIF, .SCR, .ZIP, or .EML file extension. The worm exploits the "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" (MS01-020, superceded by MS01-027) vulnerability that causes unpatched systems (with Microsoft Internet Explorer v5.01 or v5.5 without SP2) to automatically execute the worm when reading or previewing an infected message.

      The worm copies itself as SysMonXP.exe in the Windows directory. It creates the following files in the Windows directory:

      • c:\WINDOWS\base64.tmp
      • c:\WINDOWS\firewalllogger.txt
      • c:\WINDOWS\zipo0.txt (Base64 encoded)
      • c:\WINDOWS\zipo1.txt (Base64 encoded)
      • c:\WINDOWS\zipo2.txt (Base64 encoded)
      • c:\WINDOWS\zipo3.txt (Base64 encoded)
      • c:\WINDOWS\zippedbase64.tmp
      • c:\WINDOWS\sysmonxp.exe
      The following registry key is created:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "SysMonXP" = Data: C:\WINDOWS\SysMonXP.exe
      The email has the following characteristics:

      From: (spoofed or forged)

      Subject:
      • Delivery Bot (%recipient email address %)
      • Server Error (%recipient email address %)
      • Deliver Mail (%recipient email address %)
      • Delivery Failed (%recipient email address %)
      • Unknown Exception (%recipient email address %)
      • Failed (%recipient email address %)
      • Failure (%recipient email address %)
      • Status (%recipient email address %)
      • Error (%recipient email address %)
      • Delivered Message (%recipient email address %)
      • Mail System (%recipient email address %)
      • Mail Delivery System (%recipient email address %)
      • Mail Delivery failure (%recipient email address %)
      • Delivery (%recipient email address %)
      • Delivery Failure (%recipient email address %)
      • Delivery Error (%recipient email address %)
      Body:
      • Received message has been sent as a binary file.
      • Modified message has been sent as a binary attachment.
      • Received message has been sent as an encoded attachment.
      • Translated message has been attached.
      • Message has been sent as a binary attachment.
      • Received message has been attached.
      • Partial message is available and has been sent as a binary attachment.
      • The message has been sent as a binary attachment.
      • Delivery Agent - Translation failed
      • Delivery Failure - Invalid mail specification
      • Mail Delivery Failure - This mail couldn't be shown
      • Mail Delivery System - This mail contains binary characters
      • Mail Transaction Failed - This mail couldn't be converted
      • Mail Delivery Error - This mail contains unicode characters
      • Mail Delivery Failed - This mail couldn't be represented
      • Mail Delivery - This mail couldn't be displayed
      Attachment: (random filename generated from 3 parts below)
      • Part 1: one of the following - mail, msg, message, Note, data
      • Part 2: random numbers or nothing
      • Part 3: file extension .PIF, .SCR, .ZIP, or .EML
      For example, message2.zip or data.pif.

      The worm harvests email addresses from files on the local system with file extensions including .PPT, .XLS, .HTML, .HTM, .DBX, .CGI, .DOC, .WAB, .ASP, .PHP, .TXT, .EML (for complete list of file extens ions)

       

       

      W32/Bagle.u@MM
      March 28, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4344 (released 3/26/2004)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http ://vil.nai.com/vil/content/v_101141.htm
      Stinger Removal Tool: http://vil.nai.com/vil/stinger/(v2.1.7, updated 3/26/2004)

      W32/Bagle.u@MM (also known as W32.Beagle.u@mm) is spread via mass mailing and arrives in an email message with a spoofed FROM address, blank subject, blank body, and a randomly named attachment with an .EXE file extension (8,208 bytes).

      The email has the following characteristics:

        From: (spoofed or forged)

        Subject: (blank)

        Body: (blank)

        Attachment: random file name with .EXE extension (8,208 bytes)
      Email addresses are harvested from files on the victim's computer with extensions .wab, .txt, .msg, .htm, .shtm, .xml, .dbx, .mbx, .eml, .asp, .jsp, .xls, ... (for complete list of file extensions). The worm mass-mails itself to recipients extracted from the victim's computer.

      MSHEARTS.EXE (Windows Hearts game) is run (if present on the infected computer) when the worm executes.

      The worm opens TCP port 4751 on the infected computer. The exact functionality of this backdoor is under investigation. It is suspected that it may allow downloading and execution of files.

      It sends notification (containing port number and ID number) via HTTP to a remote script at http://www.werde.de.

      The worm copies itself into the default Windows System directory (%SysDir%) as GIGABIT.EXE. For example, c:\WinNT\System32\GIGABIT.EXE.

      It adds the following Registry key to hook system startup:
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "gigabit.exe" = %SysDir%\gigabit.exe
      It creates the following Registry key:
      • HKEY_CURRENT_USER\Software\Windows2004
        with values "fr1n" and "gsed".
      The worm checks the system date when it is executed. If it is Jan. 1, 2005 or later, it terminates.

       

       

      W32/Netsky.p@MM
      March 22, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows S erver 2003 and Internet Explorer 5.01 and 5.5
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4340 (released 3/22/2004 8:00 am HST)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http ://vil.nai.com/vil/content/v_101119.htm
      Stinger Removal Tool: http://vil.nai.c om/vil/stinger/(updated: 3/22/2004 HST)

      The Netsky.p virus has two methods of spreading itself - first mass mailing and the second is vulnerable Microsoft Internet Explorer 5.01 and 5.5. The virus will install its own SMTP server on the infected computer so that it can send out infected message s to email addresses that it finds on the infected computer. The virus will search a variety of files and glean email addresses from these files. Some examples of the files are XML, HTML, HTM, and VBS. For a complete list, please visit the McAfee informat ion above. This means that users might complain about numerous return to sender email messages that they never sent out or they do not know the person that they supposed to have sent the email message to.

      The second method uses an old vulnerability in Microsoft Internet Explorer 5.01 and 5.5. The virus will execute when one of these versions of Internet Explorer is used to view the infected email.

      The virus does these things to ensure that it runs on startup. The virus on an infected computer will copy itself to the Windows directory. The file name is FVProtect.exe. It will also create other files:

      • userconfig9x.dll (file size is 26,624)
      • base64.tmp (UUEncoded worm)
      • zip1.tmp (UUEncoded of worm zip archive)
      • zip2.tmp (UUEncoded of worm zip archive)
      • zip3.tmp (UUEncoded of worm zip archive)
      • zipped.tmp (worm in zip archive)
      The virus will create a registry key
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe

      The last thing that it would do is search the hard drive for the following words and copy itself into those directories:

      • shared files
      • kazaa
      • mule
      • donkey
      • morpheus
      • lime
      • bear
      • icq
      • shar
      • upload
      • http
      • htdocs
      • ftp
      • download
      • my shared folder
      Once it copies itself to these directories, the virus' file name will entice the users of the shared resource to execute it. Some of the file names are Adobe Photoshop 10 full.exe and Ahead Nero 8.exe. For a complete list, please visit http://vil.nai.com/vil/content/v_101119.htm

       

       

      W32/Bagle.p@MM
      March 15, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows S erver 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4338 (released 3/15/2004 1:53 pm HST)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http ://vil.nai.com/vil/content/v_101098.htm
      Stinger Removal Tool: http://vil.nai.com/vil/stinger/(updated: 3/15/2004)

      The bagle.p virus is a mass-mailing virus that will send itself as an infected attachment to other people whose email address existed on the victim's computer. The email addresses are gleaned from many different file types - WAB, TXT, MSG, HTM, SHTM, STM, XML, DBX, MBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, WSH, ADB, TBB, SHT, XLS, OFT, UIN, CGI, MHT, DHTM, AND JSP files. The email message will look like it is from an authoritative source and the topic is usually concerning the person's email accoun t or password.

      Here is an example of what a bagle.p infected message would look like:

      ---------------start of EXAMPLE message-----------------
      To: therese@hawaii.edu
      From: support@hawaii.edu
      Subject: E-mail account security warning

      Dear user of hawaii.edu,

      mailing system wants to let you know that, Your e-mail account has been temporary disabled because of unauthorized access. Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configur e our free auto-forwarding service.

      For security reasons attached file is password protected. The password is (attached image inserted here)

      Sincerely,
      The hawaii.edu team http://www.hawaii.edu
      ---------------end of EXAMPLE message-----------

      The bagle.p will infect the victim's computer after the attachment is executed. The virus will make some registry edits so that it can set up a SMTP server on the victim's computer. It will use this SMTP server to spread itself on the Internet.

      The following Registry key is added to hook system startup:

      • HKEY_CURRENT_USER\Software\Microsoft\Windows\
        CurrentVersion\Run "winupd.exe" = C:\WINNT\SYSTEM32\winupd.exe

      The worm uses the text file icon to disguise itself.

      It also needs the following files to run properly:

      The virus copies itself into the Windows System directory as using the following names For example:

      • C:\WINNT\SYSTEM32\WINUPD.EXE
      • C:\WINNT\SYSTEM32\winupd.exeopen
      • C:\WINNT\SYSTEM32\winupd.exeopenopen
      The bagle.p virus will attempt to turn off many of the popular security products from the TSR memory so that it can avoid being detected. For a complete list of TSRs that it tries to turn off, please visit http://vil.nai.com/vil/content/v_101098.htm

      IMPORTANT
      The most damaging part of bagle.p is that it will search the hard drives for *.EXE files and it appends the EXE files with its own encryption code. The file size will increase about 45KB and the time and date stamps will change to the time and dat e of infection.

       

       

      W32/Bagle.n@MM
      March 13, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows S erver 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4337 (released 3/13/2004 10:00 pm HST)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http://vil.nai.com/vil/content/v_101095.htm
      Stinger Removal Tool: http://vil.nai.com/vil/stinger/(updated: 3/13/2004 at 10:00 PM HST)

      The W32/Bagle.n virus is masquerading as an official email message with an attachment. The email message looks like it is from one of these accounts but it is spoofed or faked.

      • management@
      • administration@
      • staff@
      • noreply@
      • support@
      • and other email addresses found on the infected computer (which is not necessarily your computer)
      Subject line examples:
      • Account notify
      • E-mail account disabling warning.
      • E-mail account security warning.
      • Email account utilization warning.
      • Email report
      • E-mail technical support message.
      • E-mail technical support warning.
      • E-mail warning
      • Encrypted document
      • Fax Message Received
      • Forum notify
      • Hidden message
      • Important notify
      • Important notify about your e-mail account.
      • Incoming message
      • Notify about using the e-mail account.
      • Notify about your e-mail account utilization.
      • Notify from e-mail technical support.
      • Protected message
      • Re: Document
      • Re: Hello
      • Re: Hi
      • Re: Incoming Fax
      • Re: Incoming Message
      • Re: Msg reply
      • RE: Protected message
      • RE: Text message
      • Re: Thank you!
      • Re: Thanks :)
      • Re: Yahoo!
      • Request response
      • Site changes
      • Warning about your e-mail account.
      There is a wide variety of Attachment explanations, Password Information, Closings, and Attachment file names. The message body is a better way to identify a virus infected message. The message might contain one of the following sentences:
      EXAMPLES
      • Your e-mail account has been temporary disabled because of unauthorized access.
      • Our main mailing server will be temporary unavailable for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service.
      • Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
      • We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
      • Our antivirus software has detected a large amount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
      • Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
      The closing statement might have a URL at the end of the message to make the message look a bit authentic. Be forewarned, most Internet Service Providers and the University of Hawaii do not send out email messages concerning your email account with an attachment unless you requested information.

      If the infected attachment is executed, the virus will infect the Windows computer. It will install its own SMTP server (email server) so that it can spread itself on the Internet, port 2556 is opened so that a remote connection could be made to the infec ted computer, there are some registry entries, the virus resides in a file that looks like a TrueType font file, and it attempts to turn off a number of security processes such as antivirus software and firewall software processes.
      Here are some examp les of processes:
      • AGENTSVR.EXE
      • ANTI-TROJAN.EXE
      • ANTI-TROJAN.EXE
      • ANTIVIRUS.EXE
      • ANTS.EXE
      • APIMONITOR.EXE
      • APLICA32.EXE
      • APVXDWIN.EXE
      • ATCON.EXE
      • ATGUARD.EXE
      • ATRO55EN.EXE
      • ATUPDATER.EXE
      • ATWATCH.EXE
      • au.exe
      • AUPDATE.EXE
      • AUTODOWN.EXE
      • AUTOTRACE.EXE
      • AUTOUPDATE.EXE
      • AVCONSOL.EXE
      • AVGSERV9.EXE
      • AVLTMAIN.EXE
      • AVprotect9x.exe
      • AVPUPD.EXE
      • AVSYNMGR.EXE
      • more listed on http ://vil.nai.com/vil/content/v_101095.htm
      If you think that you are infected, please download the Stinger and run a full scan on your computer.

      Please check the Network Associates web page for a current list of processes and subject lines. http ://vil.nai.com/vil/content/v_101095.htm

       

       

      W32/Netsky.j@MM
      March 8, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4335 (released 3/8/2004 2:30 pm HST)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http://vil.nai.com/vil/content/v_101083.htm

      Stinger Removal Tool: http://vil.nai.com/vil/stinger/

      NAI raised the threat of this newly detected variant W32/Netsky.j@MM to MEDIUM due to increased prevalence and released DAT 4335 early to detect this new threat. Please update your McAfee DAT file to 4335 as soon as possible, using the manual Update Now m ethod.

      Note: this variant is also known as W32.Netsky.k@MM by Symantec. To add to the confusion, NAI already has its own W32/Netsky.k@MM variant.

      W32/Netsky.j@MM worm arrives via email with a spoofed or forged FROM address and a .PIF attachment (22,016 bytes).

      • Be careful about opening unexpected attachments, even from people you know.
      • Receiving email stating that your computer sent out a virus may not mean that your computer is infected as this virus spoofs the FROM address.
      The worm arrives via email with these characteristics:

      From: (forged address taken from infected system)
      Subject: (one of the following list)
      • Re: Hello
      • Re: Hi
      • Re: Thanks!
      • Re: Document
      • Re: Message
      • Re: Here
      • Re: Details
      • Re: Your details
      • Re: Approved
      • Re: Your document
      • Re: Your text
      • Re: Excel file
      • Re: Word file
      • Re: My details
      • Re: Your music
      • Re: Your bill
      • Re: Your letter
      • Re: Document
      • Re: Your website
      • Re: Your product
      • Re: Your document
      • Re: Your software
      • Re: Your archive
      • Re: Your picture
      • Re: Here is the document
      Body: one of the following)
      • Here is the file.
      • Your file is attached.
      • Your document is attached.
      • Please read the attached file.
      • Please have a look at the attached file.
      • See the attached file for details.
      Attachment: filename taken from strings within worm, with a .PIF extension:
      • yours.pif
      • your_text.pif
      • your_bill.pif
      • mp3music.pif
      • document.pif
      • my_details.pif
      • your_file.pif
      • your_website.pif
      • your_product.pif
      • your_letter.pif
      • your_archive.pif
      • your_details.pif
      • document_word.pif
      • all_document.pif
      • application.pif
      • your_picture.pif
      • document_excel.pif
      • document_4351.pif
      • document_full.pif
      • message_part2.pif
      • your_document.pif
      • message_details.pif
      The worm harvests email addresses from files on the local system with the following file extensions:
      • .adb
      • .asp
      • .cgi
      • .dbx
      • .dhtm
      • .doc
      • .eml
      • .htm
      • .oft
      • .php
      • .pl
      • .rtf
      • .sht
      • .shtm
      • .msg
      • .tbb
      • .txt
      • .uin
      • .vbs
      • .wab
      and avoids sending itself to email addresses for anti-virus and security companies. The virus uses its own STMP engine to construct messages and to mass mail itself.

      The worm copies itself into the default Windows directory %WinDir% (eg. C:\WINDOWS, C:\WINNT) using the filename WINLOGON.EXE.
      • C:\WINNT\WINLOGON.EXE (22,016 bytes)
      Note: A valid Windows file exists in the Windows System directory.

      A Registry key is created to load the worm at system start.
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth
      It attempts to remove various Registry values, some of which are associated with other viruses, trojan, and applications.

      If you are infected, please make sure you have the McAfee DAT file 4335 (released on March 8, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. If you suspect that your computer is infected with W32/Netsky.j@MM, download and run the updated Stinger removal tool (v2.1.2, 3/8/04).

       

       

      W32/Sober.d@MM
      (also known as W32/Roca-A)
      March 8, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4334 (released 3/8/2004 7:30 am HST)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http://vil.nai.com/vil/content/v_101081.htm

      Stinger Removal Tool: http://vil.nai.com/vil/stinger/

      March 8, 2004 10:00 am HST

      NAI raised the risk level of the W32/Sober.d@MM variant to MEDIUM due to increased prevalence. Please update your McAfee DAT to 4334 as soon as possible, using the manual updater method.

      W32/Sober.d@MM arrives via email pretending to be a patch from Microsoft for the Mydoom virus (written in English or German). The attachment is a file with an .EXE or .ZIP extension. *** Important: Microsoft never sends patches via email attachment! ** *

      Summary of the worm:

      • contains its own SMTP engine for constructing messages
      • source/target email addresses are harvested from the infected computer
      • outgoing messages claim to be a patch from Microsoft (written in English and German)

      The email has the following characteristics:

      From: (sender)@microsoft.com (where "sender" is one of the following)

      • Info
      • Center
      • UpDate
      • News
      • Help
      • Studio
      • Alert
      • Security
      Subject: Microsoft Alert: Please Read! (English version starts with this)

      Body:

      (English version)
      New MyDoom Virus Variant Detected!
      A new variant of the W32.Mydoom (W32.Novarg) worm spread rapidly through the Internet. Anti-virus vendor Central Command claims that 1 in 45 e-mails contains the MyDoom virus. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 13468.

      Protection:
      Please download this digitally signed attachment.
      This Update includes the functionality of previously released patches.
      +++
      +++ One Microsoft Way, Redmond, Washington 98052
      +++ Restricted Rights at 48 CFR 52.227-19 com

      Attachment: either a .EXE or .ZIP with a filename (one of the following) and a optional 5- or 10-digit random number (33,792 bytes)
      • sys-patch
      • MS-UD
      • MS-Security
      • Patch
      • Update
      • MS-Q
      For example, MS-UD89021.EXE or MS-Q4532364791.EXE.

      When the attachment is run, a fake error message may be displayed. For example:


      The worm installs itself into the default Windows System directory %SysDir% (c:\windows\system32 or c:\winnt\system32) using one of various possible filenames (constructed from a string pool carried within the worm). For example:

        %SYSDIR%\diagwinhost.exe
      It also adds the following registry key to run itself at startup:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run\disc32data "spool32" = %SYSDIR%\diagwinhost.exe
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \RunOnce "diagdir" = %SYSDIR%\diagwinhost.exe %1
      The filenames and Registry keys are random and are made up from the following strings:
      • sys
      • host
      • dir
      • explorer
      • win
      • run
      • log
      • 32
      • disc
      • crypt
      • data
      • diag
      • spool
      • service
      • smss32
      The worm also drops the following files into the %SYSDIR%:
      • Humgly.lkur (0 bytes at testing)
      • temp32x.data (46,244 bytes, Base-64 encoded copy of the worm)
      • wintmpx33.dat (46,426 bytes, Base-64 encoded ZIP containing the worm)
      • yfjq.yqwm (0 bytes at testing)
      • zmndpgwf.kxx (0 bytes at testing)
      If you are infected, please make sure you have the McAfee DAT file 4334 (released on March 8, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. If you suspect that your computer is infected with W32/Sober.d@MM, download the updated Stinger removal tool (v2.1.1, 3/8/04).

       

       

      W32/Bagle.j@MM
      (also known as W32.Beagle.j@mm)
      March 2, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4332 (released 3/2/2004 6:00 pm HST)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http://vil.nai.com/vil/content/v_101071.htm

      Stinger Removal Tool: http://vil.nai.com/vil/stinger/

      March 2, 2004 7:15 pm HST

      NAI raised the risk level of the W32/Bagle.h@MM variant to MEDIUM due to increased prevalence. Please update your McAfee DAT to 4332 as soon as possible. If you suspect that your computer is infected with W32/Bagle.j@MM, download the updated Stinger remov al tool (v2.1.0, 3/2/04).

      This worm is spread via email with a spoofed FROM address and a carefully crafted email message posing to be a problem with your email account. At first glance, it appears to be a legitimate email warning notification. The attachment may be a password-pro tected ZIP file or a file with an .EXE or .PIF extension. The password is included in the message body. It also copies itself to folders containing the phrase shar in its filename, folders commonly used in peer-to-peer filesharing.

      It also opens TCP port 2745 on the infected computer for remote connections.

      The email arrives with the following characteristics:
      From: (spoofed address)
      Subject: (one of the following)
      • E-mail account security warning.
      • Notify about using the e-mail account.
      • Warning about your e-mail account.
      • Important notify about your e-mail account.
      • Email account utilization warning.
      • Notify about your e-mail account utilization.
      • E-mail account disabling warning.

      Body: (carefully constructed from parts to make it appear like an authentic message)

      Greeting (one of the following)
      • Dear user of (user's domain) ,
      • Dear user of (user's domain) gateway e-mail server,
      • Dear user of e-mail server "(user's domain) ",
      • Hello user of (user's domain) e-mail server,
      • Dear user of "(user's domain) " mailing system,
      • Dear user, the management of (user's domain) mailing system wants to let you know that,
      Main Message Text (one of the following)
      • Your e-mail account has been temporary disabled because of unauthorized access.
      • Our main mailing server will be temporary unavaible for next two days, to continue
      • receiving mail in these days you have to configure our free auto-forwarding service.
      • Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information.
      • We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions.
      • Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software.
      • Some of our clients complained about the spam (negative e-mail content) outgoing from your e-mail account. Probably, you have been infected by a proxy-relay trojan server. In order to keep your computer safe, follow the instructions.
      Attachment Explanation (one of the following)
      • For more information see the attached file.
      • Further details can be obtained from attached file.
      • Advanced details can be found in attached file.
      • For details see the attach.
      • For details see the attached file.
      • For further details see the attach.
      • Please, read the attach for further details.
      • Pay attention on attached file.
      Password Information (if received as a ZIP file)
      • For security reasons attached file is password protected. The password is "(five random numbers) ".
      • For security purposes the attached file is password protected. Password is "(five random numbers) ".
      • Attached file protected with the password for security reasons. Password is (five random numbers) .
      • In order to read the attach you have to use the following password: (five random numbers) .
      Closing (one of the following)
      • The Management,
      • Sincerely,
      • Best wishes,
      • Have a good day,
      • Cheers,
      • Kind regards,
      The (user's domain) team http://www.(user's domain)
      Attachment: (one of following with .EXE, .PIF, or .ZIP extension)
      • Attach
      • Information
      • Readme
      • Document
      • Info
      • TextDocument
      • TextFile
      • MoreInfo
      • Message
      The worm uses the WordPad icon to make it appear that the attachment is a Wordpad document but it is really an executable file.

      The worm copies itself to the Windows System directory as IRUN4.EXE.
        C:\WINNT\SYSTEM32\IRUN4.EXE
      It creates a file IRUN4.EXEOPEN which is either a copy of itself or a ZIP file (~13KB) to be sent in email.

      It adds the following registry key to hook system startup:

        HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        "ssafe.exe" = C:\WINNT\SYSTEM32\irun4.exe
      The worm attempts to terminate security processes.

      The worm contains its own SMTP server to construct infected email messages to send out, using a spoofed or forged FROM address. If you receive an email alert that you sent an infected email, your computer may not necessarily be infected because of spoofing. It gathers email addresses from files on the infected computer with these extensions:
      • .adb
      • .asp
      • .cfg
      • .dbx
      • .eml
      • .htm
      • .mdx
      • .mmf
      • .nch
      • .ods
      • .php
      • .pl
      • .sht
      • .tbb
      • .txt
      • .wab
      • .xml
      The virus is careful not to send itself to email addresses that contain these words to avoid detection.
      • @avp
      • @hotmail.com
      • @microsoft
      • @msn.com
      • local
      • noreply
      • postmaster@
      • root@
      The worm copies itself to folders whose filename includes the phrase shar, commonly used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limewire, etc. If you have these P2P applications installed, beware! It's recommended that t hese applications be removed for security reasons. The infected files are:
      • ACDSee 9.exe
      • Adobe Photoshop 9 full.exe
      • Ahead Nero 7.exe
      • Matrix 3 Revolution English Subtitles.exe
      • Microsoft Office 2003 Crack, Working!.exe
      • Microsoft Office XP working Crack, Keygen.exe
      • Microsoft Windows XP, WinXP Crack, working Keygen.exe
      • Opera 8 New!.exe
      • Porno pics arhive, xxx.exe
      • Porno Screensaver.scr
      • Porno, sex, oral, anal cool, awesome!!.exe
      • Serials.txt.exe
      • WinAmp 5 Pro Keygen Crack Update.exe
      • WinAmp 6 New!.exe
      • Windown Longhorn Beta Leak.exe
      • Windows Sourcecode update.doc.exe
      • XXX hardcore images.exe

       

       

      W32/Bagle.h@MM
      (also known as W32.Beagle.h@mm)
      March 2, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4331 (updated 3/2/2004 9:00 am HST on UH sites but doesn't work; use DAT 4332)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http://vil.nai.com/vil/content/v_101068.htm

      Stinger Removal Tool: http://vil.nai.com/vil/stinger/

      March 2, 2004 7:15 pm HST

      NAI raised the risk level of the W32/Bagle.h@MM variant to MEDIUM due to increased prevalence. McAfee DAT 4331 was not working and was reported to NAI. McAfee DAT 4332 was released early to detect the W32/Bagle.j@MM virus and will detect the W32/Bagle.h@M M variant as well. Please update your DAT file to 4332 as soon as possible. If you suspect that your computer is infected with W32/Bagle.h@MM, download the updated Stinger removal tool (v2.1.0, 3/2/04).

      This worm is spread via email with a spoofed FROM address and a password-protected ZIP file attachment. The attachment's icon makes it appear as a folder. The password is included in the message body. It also copies itself to folders containing the phrase shar in its filename, folders commonly used in peer-to-peer filesharing.

      It also opens TCP port 2745 on the infected computer for remote connections.

      The email arrives with the following characteristics:
      From: (spoofed address)
      Subject: (one of the following)
    • Weah, hello! :)
    • Hokki =)
    • Weeeeee! ;)))
    • Hi! :-)
    • ello! =))
    • ^-^ meay-meay!
    • ^-^ mew-mew (-:

      Body: (one of the following)
    • Hey, dude, it's me ^_^ :P
    • Argh, i don't like the plaintext :)
    • I don't bite, weah!
    • Looking forward for a response :P

      Attachment: password-protected ZIP file with randomly named executable within ZIP file.

      The password is included in the message body. The executable file uses an icon for a folder but is actually an executable file.

      The worm copies itself to the Windows System directory as illr54n4.exe.
        C:\WINNT\SYSTEM32\i11r54n4.exe (21,318 bytes)
      It adds the following registry key to hook system startup:

        HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        "rate.exe" = C:\WINNT\SYSTEM32\i11r54n4.exe
      It adds this key to the registry:
        HKEY_CURRENT_USER\Software\Winexe "open"
      It will also create other files in the Windows System directory:
      • go154o.exe (19,968 bytes) - DLL to do the mailing
      • ili5nlj4.exe (1,536 bytes) - DLL loader
      • i11r54n4.exeopen (20,774 bytes) - ZIP file to be sent in the email

      W32/Bagel.h@MM is similar to the .f variant.

      The worm contains its own SMTP server to construct infected email messages to send out, using a spoofed or forged FROM address. If you receive an email alert that you sent an infected email, your computer may not necessarily be infected because of spoofing. It gathers email addresses from files on the infected computer with these extensions:
      • .adb
      • .asp
      • .cfg
      • .dbx
      • .eml
      • .htm
      • .mdx
      • .mmf
      • .nch
      • .ods
      • .php
      • .pl
      • .sht
      • .tbb
      • .txt
      • .wab
      • .xml
      The virus is careful not to send itself to email addresses that contain these words to avoid detection.
      • @avp
      • @hotmail.com
      • @microsoft
      • @msn.com
      • local
      • noreply
      • postmaster@
      • root@
      It tries to contact the virus author by calling PHP scripts on remote sites.
        http://postertog.de/scr.php
        http://www.gfotxt.net/scr.php
        http://www.maiklibis.de/scr.php
      At the time of this post, the script did not exist on these web sites.

      The worm copies itself to folders whose filename includes the phrase shar, commonly used in peer-to-peer filesharing applications such as KaZaa, Bearshare, Limewire, etc. If you have these P2P applications installed, beware! It's recommended that t hese applications be removed for security reasons. The infected files are:
      • ACDSee 9.exe
      • Adobe Photoshop 9 full.exe
      • Ahead Nero 7.exe
      • Matrix 3 Revolution English Subtitles.exe
      • Microsoft Office 2003 Crack, Working!.exe
      • Microsoft Office XP working Crack, Keygen.exe
      • Microsoft Windows XP, WinXP Crack, working Keygen.exe
      • Opera 8 New!.exe
      • Porno pics arhive, xxx.exe
      • Porno Screensaver.scr
      • Porno, sex, oral, anal cool, awesome!!.exe
      • Serials.txt.exe
      • WinAmp 5 Pro Keygen Crack Update.exe
      • WinAmp 6 New!.exe
      • Windown Longhorn Beta Leak.exe
      • Windows Sourcecode update.doc.exe
      • XXX hardcore images.exe

       

       

      W32/Bagle.e@MM
      (also known as W32.Beagle.E@MM)
      March 1, 2004

      Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
      Risk Assessment: Medium
      Minimum VirusScan DAT: 4330 (released 2/29/2004)
      Minimum VirusScan scan engine: 4.2.40
      For more information: http://vil.nai.com/vil/content/v_101061.htm
      Stinger Tool Available: http://vil.nai.com/vil/stinger/

      This new variant is similar to the W32/Bagle.c worm. It uses different file names to write to the local computer and it has a different file size. It listens on TCP port 2745 for remote connections.

      The email arrives with the following characteristics:
      From: (spoofed address)
      Body: (message body is empty)
      Subject: (one of following)

      • Accounts department
      • Ahtung!
      • Camila
      • Daily activity report
      • Flayers among us
      • Freedom for everyone
      • From Hair-cutter
      • From me
      • Greet the day
      • Hardware devices price-list
      • Hello my friend
      • Hi!
      • Jenny
      • Jessica
      • Looking for the report
      • Maria
      • Melissa
      • Monthly incomings summary
      • New Price-list
      • Price
      • Price list
      • Pricelist
      • Price-list
      • Proclivity to servitude
      • Registration confirmation
      • The account
      • The employee
      • The summary
      • USA government abolishes the capital punishment
      • Weekly activity report
      • Well...
      • You are dismissed
      • You really love me? he he
      Attachment: randomly named executable within a small ZIP file (~16KB)

      The executable file uses an icon for a text file but is actually an executable file.
      After the infected file is executed, Notepad will appear with a blank window.

      This mass-mailing worm has the following characteristics:
      • contains its own SMTP server to send out infected email messages

      • gathers email addresses from the infected computer
        The email addresses are gathered from these files:
      • .adb
      • .asp
      • .cfg
      • .dbx
      • .eml
      • .htm
      • .html
      • .mdx
      • .mmf
      • .nch
      • .ods
      • .php
      • .pl
      • .sht
      • .txt
      • .wab
      • spoofs the FROM field using addresses harvested from the infected computer
         
      • notification is sent to the hacker (virus author) about its infection
        The virus is careful not to send itself to email addresses that contain these words because it wants to avoid detection.
      • @avp
      • @hotmail.com
      • @microsoft
      • @msn.com
      • local
      • noreply
      • postmaster@
      • root@
      • It tries to contact the virus author by calling PHP scripts on remote sites.
          http://permail.uni-muenster.de/scr.php
          http://www.songtext.net/de/scr.php
          http://www.sportscheck.de/scr.php
          At the time of this post, the script did not exist on these web sites.

      • the infected computer has a remote control component and could be used at a later time
        The virus listens on TCP port 2745 for remote connections.

      • increased activity on the SMTP traffic within a network

      • the infected computer will have file i1ru74n4.exe (which is the virus itself) in the C:\WINNT\SYSTEM32 directory.

        It will also create other files in this directory:
        • godo.exe (18,944 bytes) - DLL to do the mailing
        • ii455nj4.exe (1,536 bytes) - DLL loader
        • i1ru74n4.exeopen (~16KB) - ZIP file to be sent in the email

      • There are some registry changes so that the virus can start up every time the computer is booted.

          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "rate.exe" = C:\WINNT\SYSTEM32\i1ru74n4.exe

          Additionally, the following Registry keys are added:

          • HKEY_CURRENT_USER\Software\DateTime2 "frun"
          • HKEY_CURRENT_USER\Software\DateTime2 "uid"
          • HKEY_CURRENT_USER\Software\DateTime2 "port"

        A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

      • The virus also tries to turn off any security services that are running on the computer.
        • ATUPDATER.EXE
        • AUPDATE.EXE
        • AUTODOWN.EXE
        • AUTOTRACE.EXE
        • AUTOUPDATE.EXE
        • AVLTMAIN.EXE
        • AVPUPD.EXE
        • AVWUPD32.EXE
        • AVXQUAR.EXE
        • CFIAUDIT.EXE
        • DRWEBUPW.EXE
        • ICSSUPPNT.EXE
        • ICSUPP95.EXE
        • LUALL.EXE
        • MCUPDATE.EXE
        • NUPGRADE.EXE
        • OUTPOST.EXE
        • UPDATE.EXE
        •  

           

          W32/Netsky.d@MM
          March 1, 2004

          Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4328 (released 2/25/2004)
          Minimum VirusScan scan engine: 4.2.40
          For more information: http://vil.nai.com/vil/content/v_101064.htm

          March 1, 2004 - NAI raised the threat level to MEDIUM due to increased prevalence. DAT 4328 (released 2/25/2004) or higher will proactively detect this variant with scanning of compressed files enabled.

          W32/Netsky.d is a virus that will spread via mass mailing. It has its own SMTP server that will make a direct connection to your mail server (e.g. mail.hawaii.edu) and sends out infected attachments (17,424 bytes) with a PIF extension to email addresses t hat it finds on the local system in address book files, word processing files (i.e. doc), and web files such as htm, asp, and cgi. Please see the list of file extensions below. The messages will impersonate (spoof) the sender's email address using addres ses found in these files. Do not open attachments that arrive with "return to sender" messages from people you do not know. Please delete these messages and purge them from your mail boxes.

          This is a list of files that Netsky uses to gather email addresses to impersonate (spoof).

        • .adb
        • .asp
        • .cgi
        • .dbx
        • .dhtm
        • .doc
        • .eml
        • .htm
        • .oft
        • .php
        • .pl
        • .rtf
        • .sht
        • .shtm
        • .msg
        • .tbb
        • .txt
        • .uin
        • .vbs
        • .wab
        • The worm arrives in an email message with the following characteristics:

          From: (forged or spoofed address from infected system)
          Subject:(one of the following)
          • Re: Hello
          • Re: Hi
          • Re: Thanks!
          • Re: Document
          • Re: Message
          • Re: Here
          • Re: Details
          • Re: Your details
          • Re: Approved
          • Re: Your document
          • Re: Your text
          • Re: Excel file
          • Re: Word file
          • Re: My details
          • Re: Your music
          • Re: Your bill
          • Re: Your letter
          • Re: Document
          • Re: Your website
          • Re: Your product
          • Re: Your document
          • Re: Your software
          • Re: Your archive
          • Re: Your picture
          • Re: Here is the document
          Body: (one of the following)
          • Here is the file.
          • Your file is attached.
          • Your document is attached.
          • Please read the attached file.
          • Please have a look at the attached file.
          • See the attached file for details.
          Attachment: filenames taken from strings within the worm, with a .PIF extension. Possible attachment names are:
          • yours.pif
          • your_text.pif
          • your_bill.pif
          • mp3music.pif
          • document.pif
          • my_details.pif
          • your_file.pif
          • your_website.pif
          • your_product.pif
          • your_letter.pif
          • your_archive.pif
          • your_details.pif
          • document_word.pif

          Netsky copies itself to the default Windows folder using the filename WINLOGON.EXE
          • c:\WINNT\WINLOGON.EXE (17,424 bytes)

          Note: a legitimate WINLOGON.EXE file exists in the Windows System directory.

          Netsky will also remove the registry edits made by previous viruses such as MyDoom, Netsky.a, and others. It will also remove some services from the registry. The virus removes various Registry values associated with other recent virus (W32/Netsky.a@MM, W32/Netsky.b@MM, W32/Mydoom.a@MM, W32/Mydoom.b@MM, W32/Mimail.t@MM).

          A registry key is created to load the worm on startup:
          • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
            "ICQ Net" = %WinDir%\WINLOGON.EXE - stealth

          Symptoms of Netsky.d are the existence of files and registry keys, unexpected network traffic, and outgoing DNS request to one of the following IP addresses.

          • 145.253.2.171
          • 151.189.13.35
          • 193.141.40.42
          • 193.189.244.205
          • 193.193.144.12
          • 193.193.158.10
          • 194.25.2.129
          • 194.25.2.130
          • 194.25.2.131
          • 194.25.2.132
          • 194.25.2.133
          • 194.25.2.134
          • 195.185.185.195
          • 195.20.224.234
          • 212.185.252.136
          • 212.185.252.73
          • 212.185.253.70
          • 212.44.160.8
          • 212.7.128.162
          • 212.7.128.165
          • 213.191.74.19
          • 217.5.97.137
          • 62.155.255.16
          Please use the Stinger tool to detect Netsky if you do not know what to do. The Stinger tool may be downloaded from http://vil.nai.com/vil/stinger/.

           

           

          W32/Bagle.c@MM
          Feb. 27, 2004

          Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4329 (released 2/27/2004 at 4:00 pm HST)
          Minimum VirusScan scan engine: 4.2.40
          For more information: http://vil.nai.com/vil/content/v_101059.htm Stinger Tool Available: Yes. http://vil.nai.com/vil/stinger/

          This is a mass-mailing worm that has the following characteristics:

          • contains its own SMTP server to send out infected email messages
            The body of the email messages are empty with a variety of subject lines. McAfee is still learning about this virus so these are only some of the subject lines - Accoutns department, Ahtung!, the employee, and Camila. The attachment is a small ZIP file th at contains a file that looks like an Excel file but it is an executable file.
            After the infected Excel file is executed, Notepad will appear with a blank window.
             
          • gleans email addresses from the infected computer
            The email addresses are gleaned from these files:
          • .adb
          • .asp
          • .cfg
          • .dbx
          • .eml
          • .htm
          • .html
          • .mdx
          • .mmf
          • .nch
          • .ods
          • .php
          • .pl
          • .sht
          • .txt
          • .wab
          • randomly places email addresses that it finds into the FROM field
             
          • notification is sent to the hacker (virus author) about its infection
            The virus is careful not to send itself to email addresses that contain these words because it wants to avoid detection.
          • @avp
          • @hotmail.com
          • @microsoft
          • @msn.com
          • local
          • noreply
          • postmaster@
          • root@
          • It tries to contact the virus author by calling PHP scripts on remote sites.
              http://permail.uni-muenster.de/scr.php
              http://www.songtext.net/de/scr.php
              http://www.sportscheck.de/scr.php
              At the time of this post, the script did not exist on these web sites.

          • the infected computer has a remote control component and could be used at a later time
            The virus listens on TCP port 2745 for remote connections.
          • Besides the increased activity on the SMTP traffic within a network, the infected computer will have a README.EXE (which is the virus itself) in the C:\WINNT\SYSTEM32 directory. It will also create other files in this directory:
            • onde.exe - DLL to do the mailing
            • doc.exe - DLL loader
            • readme.exeopen - ZIP file to be sent in the email
          • There are some registry changes so that the virus can start up every time the computer is booted.
              HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "gouday.exe" = C:\WINNT\SYSTEM32\README.EXE

              Additionally, the following Registry keys are added:

              • HKEY_CURRENT_USER\Software\DateTime2 "frun"
              • HKEY_CURRENT_USER\Software\DateTime2 "uid"
              • HKEY_CURRENT_USER\Software\DateTime2 "port"

            A mutex called "imain_mutex" is created to ensure only one instance of the worm is running at a time.

          • The virus also tries to turn off any security services that are running on the computer.
            • ATUPDATER.EXE
            • AUPDATE.EXE
            • AUTODOWN.EXE
            • AUTOTRACE.EXE
            • AUTOUPDATE.EXE
            • AVLTMAIN.EXE
            • AVPUPD.EXE
            • AVWUPD32.EXE
            • AVXQUAR.EXE
            • CFIAUDIT.EXE
            • DRWEBUPW.EXE
            • ICSSUPPNT.EXE
            • ICSUPP95.EXE
            • LUALL.EXE
            • MCUPDATE.EXE
            • NUPGRADE.EXE
            • OUTPOST.EXE
            • UPDATE.EXE
            •  

               

              W32/Netsky.c@MM
              Feb. 25, 2004

              Platform: Windows 9x/ME/Windows NT/2000/XP, Windows S erver 2003
              Risk Assessment: Medium
              Minimum VirusScan DAT: 4328 (released 2/25/2004)
              Minimum VirusScan scan engine: 4.2.40
              For more information: http://vil.nai.com/vil/content/v_101048.htm

              W32/Netsky.c is a virus that will distirbute itself in 2 ways. The first is through email. It has its own SMTP server that will make a direct connection to your mail server (i.e. mail.hawaii.edu) and send out infected attachments to email addresses that i t finds in address book files, word processing files (i.e. doc), and web files such as htm, asp, and cgi. Please see the list below. The messages are designed to impersonate the person's email address found in these files. You might receive return to sen der messages from people that you do not know. Do not open these email's attachments. Please delete them and purge them from your mail boxes.
              This is a list of files that Netsky uses to glean email addresses to impersonate.

            • .adb
            • .asp
            • .cgi
            • .dbx
            • .dhtm
            • .doc
            • .eml
            • .htm
            • .oft
            • .php
            • .pl
            • .rtf
            • .sht
            • .shtm
            • .msg
            • .tbb
            • .txt
            • .uin
            • .vbs
            • .wab

            The email attachment might have a double . extension so that it would be more difficult to detect. This a list of some common extensions. The first extension may be:

            • .doc
            • .htm
            • .rtf
            • .text

            The last extension is one of the following:
            • .com
            • .exe
            • .pif
            • .scr

            The second method is through peer-to-peer sharing or P2P (i.e. Kazaa). The virus will look for folder names that have "shar" inside of the name (i.e. C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS). The folders can be on your computer or a sha red folder from a server. It will copy itself into these folders and changes it name (i.e. MS Service Pack 5.exe or Microsoft Office 2003 Crack.exe) The full list of filenames can be found on http://vi l.nai.com/vil/content/v_101048.htm

            Netsky will also remove the registry edits made by previous viruses such as MyDoom, Netsky.a, and others. It will also remove some services from the registry. The virus removes various Registry values associated with other recent virus (W32/Netsky.a@MM, W32/Netsky.b@MM, W32/Mydoom.a@MM, W32/Mydoom.b@MM, W32/Mimail.t@MM).

            The following values:

            • Sentry
            • OLE
            • service
            • au.exe
            • d3dupdate.exe
            • DELETE ME
            • msgsvr32

            are deleted from CurrentVersion\Run CurrentVersion\RunServices Registry keys.

            The following Registry keys are also deleted:

            • HKEY_CLASSES_ROOT\CLSID\
              {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
            • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
              Run "KasperskyAv"
            • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
              Run "system."

            Symptoms of Netsky.c are the existence of files and registry keys, unexpected network traffic, and outgoing DNS request to a variety or IP addresses.

            • 151.189.13.35
            • 193.141.40.42
            • 193.189.244.205
            • 193.193.144.12
            • 193.193.158.10
            • 194.25.2.129
            • 194.25.2.130
            • 194.25.2.131
            • 194.25.2.132
            • 194.25.2.133
            • 194.25.2.134
            • 195.185.185.195
            • 195.20.224.234
            • 212.185.252.136
            • 212.185.252.73
            • 212.185.253.70
            • 212.44.160.8
            • 212.7.128.162
            • 212.7.128.165
            • 213.191.74.19
            • 217.5.97.137
            • 62.155.255.16

            Manual Removal Instructions
            Note: Improper removal of registry keys could cause your Windows to crash or not function at all. Please use your antivirus software or call the ITS Help Desk for assistance (808) 956-8883.

            To remove this virus "by hand", follow these steps:

            1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
            2. Delete the file WINLOGON.EXE  from your WINDOWS directory (typically c:\windows or c:\winnt)
              NOTE: DO NOT delete the file WINLOGON.EXE from the WINDOWS SYSTEM directory as that is a valid Windows system file. (i.e. c:\windows\system, c:\windows\system32, c:\winnt\system, or c:\winnt\system32)

            3. Edit the registry
              • Delete the "ICQ Net" value from
                • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
                  Windows\CurrentVersion\Run
                • HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
                  Windows\CurrentVersion\Run
            Please use the Stinger tool to detect Netsky if you do not know what to do. The Stinger tool may be downloaded from http://vil.nai.com/vil/stinger/.

             

             

            W32/Mydoom.f@MM
            Feb. 23, 2004

            Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4327 (released 2/23/2004)
            Minimum VirusScan scan engine: 4240
            For more information: http://vil.nai.com/vil/content/v_101038.htm

            W32/Mydoom.f@MM is a mass-mailing worm that is spread via email and by copying itself to mapped drives. It opens a backdoor on TCP port 1080 and can download and execute arbitrary files. It will perform a Denial of Service (DoS) attack on www.microsoft.co m and www.riaa.com, if the infected computer's system date is between the 17th and 22nd of the month. The worm searches drives C: to Z: and deletes files with .mdb, .doc, .xls, .sav, .jpg, .avi, and .bmp extensions. The outgoing messages have attac hment filenames with .cmd, .bat, .pif, .com, .scr, and .exe extensions, and may be contained in a .ZIP file. The icon of the attachment may make it appear to be a text file.

            The email has the following characteristics:
            From: (spoofed or forged address)
            Subject: (one of following)

          • (blank)
          • Announcement
          • ApprovedNews
          • Attention
          • automatic responderbr>
          • Bug
          • Current Status
          • EXPIRED ACCOUNT
          • For your information
          • hello
          • hi, it's me
          • hi
          • IMPORTANT
          • Information Warning
          • Love is Love is...
          • Please read
          • Please reply
          • Re: Approved
          • Re: Thank You
          • Re:
          • Read it immediately
          • read now!
          • Read this
          • Readme
          • Recent news
          • Something for you
          • Undeliverable message
          • Unknown
          • You have 1 day left
          • You use illegal File Sharing...
          • Your IP was logged
          • Your account is about to be expired
          • Your credit card
          • Your order is being processed
          • Your order was registered
          • Your request is being processed
          • Your request was registered

            Body: (varies, such as)
          • Check the attached document
          • Details are in the attached document. You need Microsoft Office to open it.
          • Greetings
          • Here is the document.
          • Here it is
          • I have your password :)
          • I wait for your reply.
          • I'm waiting Okay
          • I'm waiting
          • Information about you
          • Is that from you?
          • Is that yours?
          • Kill the writer of this document!
          • OK Everything ok?
          • Please see the attached file for details
          • Please, reply
          • Read the details.
          • Reply
          • See the attached file for details
          • See you Here it is
          • See you
          • Something about you
          • Take it
          • The document was sent in compressed format.
          • We have received this document from your e-mail.
          • You are a bad writer
          • You are bad

            Attachment: (variable filename with .cmd, .bat, .pif, .com, .scr, .exe extension or may be contained in a .ZIP file)
          • creditcard.bat
          • creditcard.zip
          • details.zip
          • mail.zip
          • notes.zip
          • part1.zip
          • paypal.zip
          • photo.zip
          • textfile.zip
          • vpf.zip
          • website.zip
          • %random characters%.zip

            The icon for the attachment may make it appear to be a text file.

            It copies itself to the WINDOWS SYSTEM directory using random filenames, e.g. hiruszomrk.exe (%SYSDIR%hiruszomrk.exe).

            It creates a registry key to load itself on startup:

              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "nhch" = %SYSDIR%\hiruszomrk.exe
            It also uses a DLL that it creates in the Windows System directory as:
              %SYSDIR%\vppu.dll (8,068 bytes)
            The worm copies itself as .ZIP or .EXE files in different directories on the local hard drive and mapped drives. The filenames are random and 34 Kbytes in size. The worm searches the %System% folder on drives C: through Z: and deletes files with .b mp, .avi, .jpg, .sav, .xls, .doc, and .mdb extensions.

            The worm harvests email addresses from files on drives C: to Z:, Temporary Internet Files folder (Internet Explorer web browser cache), and the Windows address book. It uses its own SMTP engine to construct outgoing messages.

            The worm checks current running processes and attempts to shut down anti-virus and other processes.

            If the system date is between the 17th and 22nd of the month, it performs a Denial of Service (DoS) attack on www.microsoft.com and www.riaa.com using random ports on the infected computers.

            The worm listens on TCP port 1080 and opens ports from 3000 through 5000.

            If you are infected, please make sure you have the McAfee DAT file 4327 (released on Feb. 23, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. The stand-alone Stinger removal tool (v.2.0.3, 2/23/04) has been updated to detect and clean this threat.

             

             

            W32/Netsky.b@MM
            Feb. 18, 2004

            Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4325 (released 2/18/2004)
            Minimum VirusScan scan engine: 4240
            For more information: http://vil.nai.com/vil/conten t/v_101034.htm

            W32/Netsky.b@MM is a mass-mailing worm that is spread via email and by copying itself to folders named share or sharing on the local system and mapped network drives. This results in virus propagation via KaZaa, Bearshare, Limewire, and othe r P2P applications that use shared folders named share or sharing. It also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses. The outgoing messages have attachment filenames with a double extension, such as .rtf.pif, and may be contai ned in a .ZIP file.

            The email has the following characteristics:
            From: (spoofed or forged address taken from infected system) or skynet@skynet.de
            Subject: (one of following)

          • fake
          • for
          • hello
          • hi
          • immediately
          • information
          • it
          • read
          • something
          • stolen
          • unknown
          • warning
          • you

            Body: (one of following)
          • about me
          • anything ok?
          • do you? that's funny
          • from the chatter
          • greetings
          • here
          • here is the document.
          • here it is
          • here, the cheats
          • here, the introduction
          • here, the serials
          • i found this document about you
          • I have your password!
          • i hope it is not true!
          • i wait for a reply!
          • i'm waiting ok
          • information about you
          • is that from you?
          • is that true?
          • is that your account?
          • is that your name?
          • kill the writer of this document!
          • my hero
          • read it immediately!
          • read the details.
          • reply
          • see you
          • something about you!
          • something is fool
          • something is going wrong
          • something is going wrong!
          • take it easy
          • that is bad
          • thats wrong why?
          • what does it mean?
          • yes, really?
          • you are a bad writer
          • you are bad
          • you earn money
          • you feel the same
          • you try to steal
          • your name is wrong

            Attachment: (random filename with double extension or may be contained in a .ZIP file, size 22,016 bytes, one of following)
          • aboutyou
          • attachment
          • bill
          • concert
          • creditcard
          • details
          • dinner
          • disco
          • doc
          • document
          • final
          • found
          • friend
          • jokes
          • location
          • mail2
          • mails
          • me
          • message
          • misc
          • msg
          • nomoney
          • note
          • object
          • part2
          • party
          • posting
          • product
          • ps
          • ranking
          • release
          • shower
          • story
          • stuff
          • swimmingpool
          • talk
          • textfile
          • topseller
          • website

            followed by .doc, .htm, .rtf, or .txt and ending with .com, .exe, .pif, and .scr.

            The virus gathers email addresses from files on the infected computer with .adb, .asp, .dbx , .doc, .eml, .htm, .html, .msg, .oft, .php, .pl, .rtf, .sht, .tbb, .txt, .uin, .vbs, .wab extensions. It mails itself to harvested email addresses using its own S MTP engine to construct messages.

            Upon execution, a fake error message (The file could not be opened!) may be displayed.

            It copies itself to the default WINDOWS directory (c:\windows for Windows XP, c:\winnt for Windows NT/2000, c:\windows for Windows 95/98/ME) as SERVICES.EXE. Note: there is a legitimate Windows services.exe file in the WINDOWS SYSTEM directory.

            It creates a registry key to load itself on startup:

              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "service" = C:\WINNT\services.exe -serv
            The worm copies itself to the share or sharing folder on the local system and on mapped network drives using one of the following filenames:
          • angels.pif
          • cool screensaver.scr
          • dictionary.doc.exe
          • dolly_buster.jpg.pif
          • doom2.doc.pif
          • e.book.doc.exe
          • e-book.archive.doc.exe
          • eminem - lick my pussy.mp3.pif
          • hardcore porn.jpg.exe
          • how to hack.doc.exe
          • matrix.scr
          • max payne 2.crack.exe
          • nero.7.exe
          • office_crack.exe
          • photoshop 9 crack.exe
          • porno.scr
          • programming basics.doc.exe
          • rfc compilation.doc.exe
          • serial.txt.exe
          • sex sex sex sex.doc.exe
          • strippoker.exe
          • virii.scr
          • win longhorn.doc.exe
          • winxp_crack.exe

            The worm also drops many .ZIP files containing the worm (22,016 bytes). The compressed file usually uses a filename with a double extension, such as .doc.pif, .rtf.com, .rtf.scr. These are the .ZIP filenames:
          • aboutyou.zip
          • attachment.zip
          • bill.zip
          • concert.zip
          • creditcard.zip
          • details.zip
          • dinner.zip
          • disco.zip
          • final.zip
          • found.zip
          • friend.zip
          • jokes.zip
          • location.zip
          • mail2.zip
          • mails.zip
          • me.zip
          • message.zip
          • misc.zip
          • msg.zip
          • nomoney.zip
          • note.zip
          • object.zip ,br>
          • part2.zip
          • party.zip
          • posting.zip
          • product.zip
          • ps.zip
          • ranking.zip
          • release.zip
          • shower.zip
          • story.zip
          • stuff.zip
          • swimmingpool.zip
          • talk.zip
          • textfile.zip
          • topseller.zip
          • website.zip

            The worm also removes registry keys associated with W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

            If you are infected, please make sure you have the McAfee DAT file 4325 (released on Feb. 18, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. The stand-alone Stinger removal tool (v.2.0.2, 2/18/04) has been updated to detect and clean this threat.

            W32/Bagle.b@MM
            Feb. 17, 2004

            Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4324 (released 2/17/2004)
            Minimum VirusScan scan engine: 4240
            For more information: http://vil.nai.com/vil/conten t/v_101030.htm

            The ITS mail server (mail.hawaii.edu) is scanning for this threat. W32/Bagle.b@MM is a mass-mailing worm that is from a spoofed address. It listens on TCP port 8866 for remote connections. The outgoing messages have random attachment names with .EXE file extension (11,264 bytes). If the system date is Feb. 25, 2004 or later, the virus does not propagate.

            The email has the following characteristics:

            From: (address is spoofed)
            Subject: ID (random string)... thanks
            Body:
            Yours ID (random string2)
            --
            Thank
            Attachment: (random filename with .EXE extension, size 11,264 bytes)

            The virus gathers email addresses from files on the infected computer with .wab, .txt, .htm, and .html extensions. It mails itself to harvested email addresses using its own SMTP engine. However, it doesn't mass-mail itself to addresses that include @hotm ail.com, @msn.com, @microsoft, and @avp.

            The virus listens to TCP port 8866 for remote connections. This use of this backdoor is being investigated by NAI.

            A notification is sent to the author via HTTP. A GET request with port number and "id" is sent to a PHP script on remote servers. Block access to the following domains:

          • http://www.47df.de
          • http://www.strato.de
          • http://intern.games-ring.de

            When the attachment is run and the system date is Feb. 25, 2004 or later, the virus exits and doesn't propagate.

            If the system date is before Feb. 25, 2004, the virus runs the standard Windows Sound Recorder program (SNDREC32.EXE). The virus uses the same icon as the Windows Sound Recorder.

            W32
/Bagle.b@MM as Windows Sound Recorder

            It also copies itself to the Windows System directory (c:\windows\system32 for Windows XP, c:\winnt\system32 for Windows NT/2000, c:\windows\system for Windows 95/98/ME) as au.exe.

            It creates a registry key to load itself on startup:

              HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
              Run "au.exe" = C:\WINNT\System32\au.exe
            It creates two additional registry keys:

              HKEY_CURRENT_USER\Software\Windows2000 "frn"
              HKEY_CURRENT_USER\Software\Windows2000 "gid"
            If you are infected, please make sure you have the McAfee DAT file 4324 (released on Feb. 17, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. The stand-alone Stinger removal tool (v.2.0.1, 2/17/04) has been updated to detect and clean this threat.

            W32/Mimail.s@MM
            Jan. 29, 2004

            Platform: Windows 9x/ME, Windows NT/2000/XP
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4321 (released 1/29/04)
            Minimum VirusScan scan engine: 4240
            For more information: http://vil.nai.com/vil/content/v_100989.htm


            Please update your McAfee DAT to 4321 as soon as possible.

            W32/Mimail.s@MM is a mass-mailing worm that attempts to steal credit card information by displaying a fake message that your Microsoft Windows license has expired.

            The worm harvests email addresses by appending .org, .net or .com to strings from files on an infected computer. The harvested email addresses are saved in c:\windows\outlook.cfg. The worm has its own SMTP engine to construct email messages with varying subject lines, message bodies and attachment names.

            For example,
            Subject: here is the file you asked for
            Body: Hi! Here is the file you asked for!
            Attachment: document.txt.scr

            Possible attachment file extensions include:

          • .pif
          • .scr
          • .exe
          • .jpg.pif
          • .jpg.scr
          • .jpg.exe
          • .gif.pif
          • .gif.scr
          • .gif.exe

            When the attachment is run, a fake error message is displayed.

            The worm checks if a credit card is entered and displays an error message if a dummy number is entered.

            Stolen credit card numbers are sent to email addresses found in the worm's body in the mail15.com and ziplip.com domains. The stolen information is saved in c:\xx.

            When the attachment is opened, the worm copies itself to c:\Windows\rabbit.exe and c:\Windows\x (worm body).
            • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
              CurrentVersion\Run "RabbitWannaHome" = %WinDir%\rabbit.exe
            If you are infected, please make sure you have the McAfee DAT file 4321 (released on Jan. 29, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

            W32/Mydoom@MM
            (alias W32.Novarg.A@MM, Novarg, Win32/Shimg)
            Jan. 26, 2004

            Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
            Risk Assessment: High Outbreak
            Minimum VirusScan DAT: 4319 (released 1/26/04 6:35 pm HST)
            Minimum VirusScan scan engine: 4240
            For more information: http://vil.nai.com/vil/content/v_100983.htm


            Please update your McAfee DAT to 4319 as soon as possible. The date of the virus definition will appear as Jan. 27, 2004 in VirusScan.

            NAI has updated the Stinger removal tool (v1.9.7, 1/26/04) to detect and repair W32/Mydoom@MM. You must reboot after running Stinger to complete the repair. Note: Windows ME/XP users need to disable system restore before running Stinger.

            This mass-mailing and peer-to-peer file-sharing worm arrives in email with the following characteristics:

            From: (spoofed)
            Subject: (Random) possible subject lines:

          • test
          • hi
          • hello
          • Mail Delivery System
          • Mail Transaction Failed
          • Server Report
          • Status
          • Error
            Body: (Varies, such as)
            • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
            • The message contains Unicode characters and has been sent as a binary attachment.
            • Mail transaction failed. Partial message is available.
            Attachment: (varies [.exe, .pif, .cmd, .scr] - often arrives in a ZIP archive) (22,528 bytes)

            The icon for the attachment makes it appear to be a text file. Attachment file names are common names but may be random. Examples include:

          • document.scr
          • doc.bat
          • document.zip
          • message.zip
          • readme.zip
          • text.pif
          • hello.cmd
          • body.scr
          • test.htm.pif
          • data.txt.exe
          • file.scr

            When the attachment is opened, Notepad opens filled with garbage characters. It copies itself to the local system with filenames:
            • c:\Program Files\KaZaa\My Shared Folder\activation_crack.scr
            • %SysDir%\taskmon.exe
            where %SysDir% is the Windows System directory.

            It creates the file shimgapi.dll (4,096 bytes) in the Windows System directory. This DLL is injected into EXPLORER.EXE upon reboot via registry key:

          • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 "(Default)" = %SysDir%\shimgapi.dll

            It creates the registry entry to hook Windows startup:
            • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
              CurrentVersion\Run "TaskMon" = %SysDir%\taskmon.exe
            The worm opens a connection on TCP port 3127 suggesting remote control. On the first system startup after Feb. 2, 2004, the worm changes its behavior to start a denial of service (DoS) attack against the sco.com domain. The DoS attack will stop on Feb. 12 , 2004.

            The worm copies itself in the KaZaa Shared Directory with filenames such as:
          • winamp5
          • icq2004-final
          • activation_crack
          • strip-girl-2.0bdcom_patches
          • rootkitXP
          • office_crack
          • nuke2004

            with file extensions .pif, .scr, or .bat.

            The worm harvests email addresses from the local system from files with the following extensions:
          • wab
          • adb
          • tbb
          • dbx
          • asp
          • php
          • sht
          • htm
          • txt

            If you are infected, please make sure you have the McAfee DAT file 4319 (released on Jan. 27, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

            W32/Dumaru.y@MM
            Jan. 26, 2004

            Platform: Windows 9x/ME, Windows NT/2000/XP
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4318 (released 1/26/2004)
            Minimum VirusScan scan engine: 4240
            For more information: http://vil.nai.com/vil/content/v_100980.htm

            The ITS mail server (mail.hawaii.edu) is scanning for this threat. W32/Dumaru.y@MM is a mass-mailing worm that steals data and allows a remote hacker to run commands on your computer, listening on TCP ports 2283 and 10000. The worm captures keystrokes dur ing web browser sessions, targetting online banking essions.

            The email has the following characteristics:

            From: "Elene" (F (removed) ENSUICIDE@HOTMAIL.COM) (profanity removed)
            Subject: Important information for you. Read it immediately !
            Body: Here is my photo, that you asked for yesterday.
            Attachment: myphoto.zip

            The attachment expands to myphoto.jpg (many spaces).exe.

            The worm gathers email addresses from files on the infected computer with .htm, .wab, .html, .dbx, .tbb, and .abd extensions. It mails itself to harvested email addresses using its own SMTP engine.

            When executed, the worm also copies itself on the infected computer:

            • %WinDir%\RUNDLLX.SYS
            • %SysDir%\L32X.EXE
            • %SysDir%\VXD32V.EXE
            where %WinDir% is the Windows directory (e.g. C:\WinNT) and %SysDir% is the Windows System directory (c:\windows\system32 for Windows XP, c:\winnt\system32 for Windows NT/2000, c:\windows\system for Windows 95/98/ME).

            It creates a registry key:

              HKEY_LOCAL_MaACHINE\Software\SARS
            If you are infected, please make sure you have the McAfee DAT file 4318 (released on Jan. 26, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

            W32/Bagle@MM
            Jan. 19, 2004

            Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4316 (released 1/18/2004)
            Minimum VirusScan scan engine: 4240
            For more information: http://vil.nai.com/vil/conten t/v_100965.htm

            The ITS mail server (mail.hawaii.edu) is scanning for this threat. W32/Bagle@MM is a mass-mailing worm that pretends to be a test message and is from a spoofed address. It listens on TCP port 6777 for remote connections. The outgoing messages have random attachment names. If the system date is Jan. 28, 2004 or later, the virus does not propagate.

            The email has the following characteristics:

            From: (address may be forged)
            Subject:Hi
            Body:
            Test =)
            (random characters)
            --
            Test, yep.
            Attachment: (random filename, size 15,872 bytes)

            The virus gathers email addresses from files on the infected computer with .wab, .txt, .htm, and .html extensions. It mails itself to harvested email addresses using its own SMTP engine. However, it doesn't mass-mail itself to addresses that include @hotmail.com, @msn.com, @microsoft, and @avp.

            The virus listens to TCP port 6777 that allows a remote attacker to execute commands on the local system, download executables to the local system, and terminate and delete the worm program.

            When the attachment is run and the system date is Jan. 28, 2004 or later, the virus exits and doesn't propagate. If the system date is before Jan. 28, 2004, the virus runs the standard Windows calculator program (calc.exe). It also copies itself to the Windows System directory (c:\windows\system32 for Windows XP, c:\winnt\system32 for Windows NT/2000, c:\windows\system for Windows 95/98/ME) as bbeagle.exe.

            It creates a registry key to load itself on startup:

              HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
              Run "d3dupdate.exe" = C:\WINNT\System32\bbeagle.exe
            It creates two additional registry keys:

              HKEY_CURRENT_USER\Software\Windows98 "frun"
              HKEY_CURRENT_USER\Software\Windows98 "uid"
            If you are infected, please make sure you have the McAfee DAT file 4316 (released on Jan. 18, 2004) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm. The stand-alone Stinger removal tool has been updated to detect and clean this threat.

            W32/Sober.c@MM
            Dec. 22, 2003

            Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4310 (released 12/21/2003)
            Minimum VirusScan scan engine: 4240
            For more information: http://vil.nai.com/vil/conten t/v_100912.htm

            Network Associates has raised the alert level of W32/Sober.c@MM to MEDIUM risk due to increased prevalence. Please update your DAT file to 4310 (released 12/21/03) as soon as possible. The ITS mail server (mail.hawaii.edu) is scanning for this threat.

            W32/Sober.c@MM is a mass-mailing worm written in Visual Basic. The outgoing messages have varying subject lines, message bodies and attachment names (in either English or German). There are two worm processes running on the infected computer to ensure tha t the worm stays memory resident.

            Summary of the worm:

            • contains its own SMTP engine for constructing messages
            • target email addresses are harvested from the infected computer
            • the worm may have garbage at the end of the file (its file size may be larger than 74,223 bytes)

            The email has the following characteristics:

            Subject: (possible subject lines)

            • Betr: Klassentreffen
            • Testen Sie ihren IQ
            • Bankverbindungs- Daten
            • Neuer Dialer Patch!
            • Ermittlungsverfahren wurde eingeleitet
            • Ihre IP wurde geloggt
            • Sie sind ein Raubkopierer
            • Sie tauschen illegal Dateien aus
            • Ich hasse dich
            • Ich zeige sie an!
            • Sie Drohen mir
            • you are an idiot
            • why me?
            • I hate you
            • Preliminary investigation were started
            • Your IP was logged
            • You use illegal File Sharing ...
            Attachment: (possible filenames)
            • www.iq4you-german-test.com
            • www.freewantiv.com
            • www.free4manga.com
            • www.free4share4you.com
            • www.tagespolitik-umfragen.com
            • www.onlinegamerspro-worm.com
            • www.freegames4you-gzone.com
            • www.boards4all-terror432.com
            • www.anime4allfree.com
            • www.animepage43252.com
            • yourmail
            • alledigis
            • aktenz
            Attachments may end with a .com, .bat, .cmd, .pif, .scr, .exe or .com extension, and may be preceeded with a .txt or .doc, and/or a random number.

            When the attachment is run, a fake error message is displayed. For example:

            The worm installs itself into the default Windows System directory %SysDir% (c:\windows\system32 or c:\winnt\system32) as SYSHOSTX.EXE. Two other copies of the worm are dropped into %SysDir%, with varying filenames. For example:

            • %SysDir%\ONDMONSTR.EXE
            • %SysDir%\DATMSCRYPT.EXE
            These two files are responsible for monitoring and maintaining that the worm stays memory resident. Upon termination of one worm process, another copy is quickly restarted.

            It modifies the registry so the worm is run on system startup, where "string" varies between infections.

              HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
              Run "(string)" = %SysDir%\ONDMONSTR.EXE

              HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
              Run "(string)" = %SysDir%\ONDMONSTR.EXE
            If you are infected, please make sure you have the McAfee DAT file 4310 (released on Dec. 21, 2003) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

            W32/Mimail.i@MM
            November 14, 2003

            Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4304 (released 11/14/2003)
            Minimum VirusScan scan engine: 4240
            For more information: http://vil.nai.com/vil/conten t/v_100822.htm

            Network Associates has raised the alert level of W32/Mimail.i@MM to MEDIUM risk due to increased prevalence. Please update your DAT file to 4304 (released 11/14/03) as soon as possible.

            W32/Mimail.i@MM is a mass-mailing worm which attempts to steal credit card information by displaying a fake PayPal message, announcing the expiration of your PayPal account. It spreads with attachment www.paypal.com.scr or paypal.asp.scr.

            Summary of the worm:

            • contains its own SMTP engine for constructing messages
            • mails itself as www.paypal.com.scr or paypal.asp.scr attachment
            • uses email addresses harvested from the local computer

            The email has the following characteristics:

            When the attachment is run, the following window is displayed:

            The worm installs itself into the default Windows directory %WinDir% as SVCHOST32.EXE (12,832 bytes). The worm creates the following files:

            • c:\pp.gif (paypal icon)
            • c:\pp.hta (graphical interface)
            • c:\ppinfo.sys (your credit card details)
            • %WinDir%\ee98af.tmp (copy of the worm)
            • %WinDir%\el388.tmp (harvested email addresses)
            • %WINDIR%\svchost32.exe (copy of the worm)
            • %WinDir%\zp3891.tmp
            It modifies the registry so the worm is run on system startup.

              HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
              Run "SvcHost32" = %WinDir%\svchost32.exe
            If you are infected, please make sure you have the McAfee DAT file 4304 (released on Nov. 14, 2003) and a scan engine of 4.2.40 or higher. You may run a scan on all files to detect and clean up this worm.

            W32/Mimail.c@MM
            October 31, 2003

            Platform: Windows 9x/ME/Windows NT/2000/XP, Windows Server 2003
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4301 (released 10/31/2003)
            Minimum VirusScan scan engine: 4160
            For more information: http://vil.nai.com/vil/conten t/v_100795.htm

            Network Associates has raised the alert level of W32/Mimail.c@MM to MEDIUM risk due to increased prevalence. Please update your DAT file to 4301 as soon as possible.

            The worm was initially "seeded" by mass-spamming with attachment undelivered.hta which creates the file c:\mware.exe. This executable is the worm, W32/Mimail.c@MM. When the .hta file is run, the following message is displayed:

              Your message will be sent again in 1 hour. If it doesn't arrive - we will delete it from the queue.
            W32/Mimail.c@MM is a mass-mailing worm which spreads with attachment PHOTOS.ZIP (contains PHOTOS.JPG.EXE) and can cause a denial of service attack.

            Summary of the worm:
            • contains its own SMTP engine for constructing messages
            • mails itself as PHOTOS.ZIP attachment
            • uses email addresses harvested from the local computer
            • sends large amounts of data (garbage) to remote servers (port 80 and ICMP)

            The email has the following characteristics:

            The worm installs itself into the default Windows directory %WinDir% as NETWATCH.EXE (12,832 bytes). Three other files are dropped into the default Windows directory:

            • %WinDir%\EMP.TMP - list of email addresses harvested from the victim's computer
            • %WinDir%\EXE.TMP - copy of the worm
            • %WinDir%\ZIP.TMP - a ZIP archive containing the worm
            It modifies the registry so the worm is run on system startup.

              HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
              Run "NetWatch32" = C:\WINNT\NETWATCH.EXE
            If you are infected, please make sure you have the McAfee DAT file 4301 (released on October 31, 2003) and a scan engine of 4.2.60. You may run a scan on all files to detect and clean up this worm.

            If you need assistance, please call the ITS Help Desk (808) 956-8883 or toll-free from neighbor islands (800) 558-2669.

             

             

            W32/Swen@MM
            September 18, 2003

            Platform: Windows 9x/ME/Windows NT/2000/XP
            Risk Assessment: Medium (for Home Users)
            Minimum VirusScan DAT: 4294 (released 9/18/2003)
            Minimum VirusScan scan engine: 4160
            For more information: http://vil.nai.com/vil/conten t/v_100662.htm


            Network Associates has raised the alert level of W32/Swen@MM to MEDIUM risk for Home Users due to increased prevalence of this worm.

            In some cases, it pretends to be a Microsoft Security Update. It can also impersonate mail delivery failure notices and attaches itself as a randomly named executable.

            It terminates various processes including Regedit, ZoneAlarm, BlackIce, VirusScan, Norton Antivirus, F-Prot, Esafe, and others. It spreads via various mechanisms including:

            • mailing itself to email addresses extracted from files on the victim computer
            • copying itself over network shares (mapped drives)
            • sharing itself over the KaZaa P2P network
            • sending itself via IRC
            The virus contains its own SMTP engine to construct outgoing email messages. Multiple subject lines and attachment names are constructed from strings within the worm to be used in outgoing messages. Target email addresses are extracted from files on the victim computer.

            Sample of the email pretending to be a Microsoft Security Update


            The worm copies itself to the startup folder on mapped network drives using a random filename.

            The worm drops a SCRIPT.INI file (123 bytes) into the mIRC program folder to propagate via IRC (using dcc send).

            The worm copies itself in a directory (random name) within the system temp directory, using suggestive names such as

          • SIRCAM CLEANER.EXE
          • YAHOO HACKER.EXE
          • HALLUCINOGENIC SCREENSAVER.EXE
          • etc

            Symptoms
          • Display of fake message boxes to install Microsoft Security Update
          • Unexpected termination of anti-virus or security programs
          • Inability to run RegEdit on the victim computer

            Various registry keys are modified to hook the execution of .BAT, .COM, .EXE, .PIF, .REG, and .SCR files.

            If you are infected, please make sure you have the McAfee DAT file 4294 (released on September 18, 2003) and a scan engine of 4.2.60. You may run a scan on all files to detect and clean up this worm.

            If you need assistance, please call the ITS Help Desk (808) 956-8883 or toll-free from neighbor islands (800) 558-2669.

             

             

            W32/Dumaru.a@MM
            August 28, 2003

            Platform: Windows 9x/ME/Windows NT/2000/XP
            Risk Assessment: Medium
            Minimum VirusScan DAT: 4290 (released 8/28/2003)
            Minimum VirusScan scan engine: 4140
            For more information: http://vil.nai.com/vil/conten t/v_100560.htm


            Network Associates has raised the alert level of W32/Dumaru.a@MM from low to medium risk. W32/Dumaru.a@MM is a mass mailing worm, with its own SMTP engine, that will send email to addresses found in the following files on the infected computers hard drive :

            • .htm
            • .wab
            • .html
            • .dbx
            • .tbb
            • .abd
            The email message will look like it is from Microsoft Security ("Microsoft" security@microsoft.com) and it will have an attachment called patch.exe. The patch.exe file carries the worm. If you receive a message with Microsoft security and a patch.exe, ple ase DELETE it immediately. Microsoft does not email any of their security patches to customers (http://www.microsoft.com/technet/treeview/default.asp?u rl=/technet/security/policy/swdist.asp).

            Sample of the email

            This worm might have a password stealer within it. If it does, McAfee VirusScan will detect the password stealer as PWS-Narod. It will also infect exe files on NTFS volumes using streams.

            How to Clean
            To remove this virus "by hand", follow these steps:

            1. Win9x/ME - Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode
              WinNT/2K/XP - Terminate the processes: LOAD32.EXE VXDMGR32.EXE DLLREG.EXE
            2. Delete the following files:
              • %WinDir%\DLLREG.EXE
              • %SysDir%\LOAD32.EXE
              • %SysDir%\VXDMGR32.EXE

              Note:
              %WINDIR% is the c:\windows or c:\winnt
              %SYSDIR% is c:\windows\system or c:\winnt\system


            3. Edit the registry
              • Delete the "Load32" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run
              • Edit the "Run" value in the following key from "C:\WINDOWS\DLLREG.EXE" to "": HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
              • Edit the "Shell" value in the following key from "explorer.exe %sysdir%\vxdmgr32.exe" to "explorer.exe": HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
          Additionl windows ME and XP removal considerations: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

          If you are infected, please make sure you have the McAfee DAT file 4290 (released on August 28, 2003) and a scan engine of 4.2.60. You may run a scan on all files to detect and clean up this worm.

          If you need assistance, please call the ITS Help Desk (808) 956-8883 or toll-free from neighbor islands (800) 558-2669.

           

           

          W32/Sobig.f@MM
          August 19, 2003

          Platform: Windows NT/2000/XP
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4287 (released 8/19/2003)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100561.htm


          There is a new variant of the W32/Sobig virus. Like the other variants, it spreads via mass mailing (uses its own SMTP engine) and over network shares (not confirmed in testing by NAI yet). The worm has garbage data appended at the end of the file so exact filesize may vary.

          The standalone NAI Stinger tool has been updated to detect and remove this threat.

          The worm copies itself on the victim machine as C:\WINNT\WINPPR32.EXE. It drops a configuration file in the default Windows directory as C:\WINNT\WINSTT32.DAT.

          The following registry keys are added to hook the system on startup:

          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
          "TrayX" = C:\WNNT\WINPPR32.exe /sinc

          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
          "TrayX" = C:\WNNT\WINPPR32.exe /sinc

          Target email addresses are harvested from files on the infected computer with the following extensions:

        • DBX
        • HLP
        • MHT
        • WAB
        • EML
        • TXT
        • HTM
        • HTML

          The worm may arrive in email with the following characteristics:

          From: (the from: address may be spoofed or forged with an email address found on the victim's machine)
          Subject:
        • Your details
        • Thank you!
        • Re: Thank you!
        • Re: Details
        • Re: Re: My details
        • Re: Approved
        • Re: Your application
        • Re: Wicked screensaver
        • Re: That movie
          Attachment:
        • your_document.pif
        • document_all.pif
        • thank_you.pif
        • your_details.pif
        • details.pif
        • document_9446.pif
        • application.pif
        • wicked_scr.scr
        • movie0045.pif

          The worm attempts to send NTP packets to remote NTP servers using destination port 123.

           

          W32/Nachi.worm
          August 18, 2003

          Platform: Windows NT/2000/XP/Server 2003
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4286 (released 8/18/2003)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100559.htm


          The worm exploits the MS03-026 RPC buffer overflow vulnerability and is not related to the W32/Lovsan.worm.d (aka Blaster worm). It creates high ICMP traffic on the network.

          The worm spreads by scanning the local subnet on port 135 for target Windows machines with the MS03-026 vulnerability. It pings potential victim machines, and upon reply, sends the exploit data. A remote shell is created on the target machine on TCP port 707. Victim machines are instructed to download the worm via TFTP. Once running, the worm terminates and deletes the W32/Lovsan.worm.a process and applies the Microsoft patch to prevent other threats from infecting the system through the same hole.

          A mutex named RpcPatch_Mutex is created to ensure that only one instance of the worm is on the victim machine.

          The worm installs itself in the WINS directory in the Windows System directory:

          C:\WINNT\SYSTEM32\WINS\DLLHOST.EXE (10,240 bytes)

          Note: there is a legitimate file named DLLHOST.EXE but it is approximately 5-6 KB.

          The worm attempts to copy the TFTPD.EXE file from dllcache on the victim computer to the WINS directory and renames it to SVCHOST.EXE.

          The following servicees are installed:

        • RpcPatch runs the installed copy of the worm (DLLHOST.EXE)
             Display name "WINS Client"

        • RpcTftpd runs the copy of the TFTPD application (SVCHOST.EXE)
             Display name "Network Connections Sharing"

          The worm attempts to download and install one of the patches for the MS03-026 vulnerability. When the system clock reaches Jan. 1, 2004, the worm will delete itself upon execution.

          Unless the system is patched for the MS03-026 vulnerability, it is susceptible to the buffer overflow attack from an infected machine. When packets are sent to the RPC service on port 135, unpatched systems will get a buffer overflow and crash. The worm does not have to be on the unpatched system.

          Once the system is patched, it is important that the system is rebooted.

           

          W32/Lovsan.worm (aka Blaster worm)
          August 11, 2003
          Last Revised: August 13, 2003 at 2:38 pm

          Platform: Windows NT/2000/XP/2003 Server
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4285 (released 8/13/2003)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100547.htm


          The worm is looking for victims by scanning the network for Windows computers that do not have the MS03-026 Microsoft security patch. The infected computer will have an open port on TCP 4444 and TFTP running. The worm will download itself into the %windir%\system32. The file name is msblast.exe. Once the msblast file is executed, the worm installs a registry key

          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "windows auto update" = msblast.exe I just want to say LOVE YOU SAN!! bill
          The infected computer will display error messages about the RPC service failing and computer will reboot.

          Remedy
          If you are infected already, you should unplug your network cable from the back of the computer then restart the computer with the network cable disconnected. (This should stop the rebooting.) You should download the stinger program from a clean computer (a computer that was not infected with the blaster worm). There is a NAI stinger program that will detect and attempt to remove the worm. You may download the file NAI Stinger. Please read the instructions before using this tool! After you have removed the worm, you need to apply the Microsoft patch MS03-026 and other patches from Windows Update. Once the Microsoft patch is installed, start your antivirus software and check the version. Please make sure that the version is the most current.

          Update to Remedy (8/11/2003 3:30pm)
          If you are not infected, please update your McAfee VirusScan today. There is an new DAT and SuperDAT file. Please download the new file Latest DAT and SuperDAT File or run the autoupdate on your McAfee VirusScan Console.

          Update (8/13/2003):


          Please download and use the DAT/SuperDAT file 4285 released 8/13/2003 instead of the Extra DAT.

          There are reports that the worm has 2 new versions - Lovsan.b and Lovsan.c.
          Lovsan.b version
          The Lovsan.b will install a backdoor component that will allow an intruder to remotely control an infected computer. To indentify Lovsan.b, you should see 2 files in the %windir%\system32 - root32.exe (backdoor) and teekids.exe (worm).
          Clean-up recommendations for Lovsan.b is to re-install the computer system. Please make sure that you have a backup of the computer system before this is done.

          Lovsan.c version
          The Lovsan.c does the same thing as the original Lovsan worm. The difference is that the blast32.exe file is called penis32.exe and it is stored in the %windir%\system32 directory. There are no reports of backdoors for this version at this time.
          Clean-up recommendations for Lovsan.c is to use the NAI Stinger tool. The NAI Stinger tool will remove the registry edits but you will have to manually remove the penis32.exe file from the %windir%/system32 directory.

          Please note: %windir% is the directory in which your Windows system files are stored. The most common places are windows and winnt (ie c:\windows\system32).


          If you need further assistance, please call the ITS Help Desk at 956-8883 or Toll-free from neighbor islands (800) 558-2669.

           

          W32/Mimail@MM
          August 2, 2003

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4282 (released 8/1/03)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100523.htm

          There have been many reports of this virus in the wild. Please update your DAT to 4282 as soon as possible. The Stinger removal tool has been updated to detect and remove this threat.

          This worm exploits known security vulnerabilities for which Microsoft released patches some months ago. It uses the codebase (MS02-015) and MHTML exploits (MS03-014). Please patch your systems for these vulnerabilities, if you have not already done so.

          The mass mailing worm arrives in an email message with the following format:

          From: Admin@current_domain (from: address may be spoofed to appear that it is coming from the current domain)
          Subject: your account (variable string)
          Body:

          Hello there,

          I would like to inform you about important information regarding your email address. This email address will be expiring. Please read attachment for details.

          --- Best regards, Administrator

          Attachment: message.zip

          The attached .zip file contains a file named MESSAGE.HTM. The file automatically creates the file, foo.exe, in the Temporary Internet Files folder and runs it.

          Note: The MS03-014 patch must be applied to prevent the automatic execution of the executable when accessing the MESSAGE.HTM file.

          When run, the following files are created in the default WINDOWS %WINDIR% directory:

        • videodrv.exe (19,824 bytes)
        • exe.tmp (20,445 bytes)
        • zip.tmp (20,567 bytes)

          The virus creates the following registry key to load itself on Windows Startup:

        • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
          Run "VideoDriver" = C:\WINNT\videodrv.exe

          The virus checks to see if the system is connected to the Internet by trying to contact google.com. If successful, it attempts to harvest email addresses from files on the local system and sends itself to those addresses. The mailing routine tries to quer y the mail server for the domain related to the harvested addresses. Messages are sent through that SMTP server. The local files with the following extensions are excluded from email address harvesting attempts:
        • AVI
        • BMP
        • CAB
        • COM
        • DLL
        • EXE
        • GIF
        • JPG
        • MP3
        • MPG
        • OCX
        • PDF
        • PSD
        • RAR
        • TIF
        • VXD
        • WAV
        • ZIP

          The harvested addresses are stored in the eml.tmp file in the WINDOWS directory.

          An additional registry key is created:
        • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
              Code Store Database\Distribution Units\
              {11111111-1111-1111-1111-111111111111}
           

          W32/Colevo@MM
          July 1, 2003

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4274 (released 6/30/03)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100450.htm

          NAI raised the risk level of this threat to Medium for Home users only.

          The virus arrives in an email message and uses an icon almost identical to the icon associated with folders in Windows. This mass-mailing worm gathers MSN Messenger contact addresses. It launches Internet Explorer and connects to various news websites, displaying images of Bolivian Aymara Indian leader Evo Morales.

          The e-mail arrives with the following format:

          Subject: El adelanto de matrix ta gueno!!
          Body: Pablo_Hack
          Oye te U paso el programa para entrar a cuentas del messenger, y facilingo te lo paso a voz nomas, prometerr que no se lo pasas a nadie, ya? Respondeme que tal te parecio. chau!!

          Attachment: hotmailpass.exe

          The virus has a backdoor component. It leaves several TCP ports (1168, 1169, 1170 and 2536) open, allowing the hacker to control the infected computer remotely.

          When run, it copies itself to the default Windows directory %WINDIR% with the following filenames:

        • All Users.exe
        • command.exe
        • Hot Girl.scr
        • hotmailpass.exe
        • Inf.exe
        • Internet Download.exe
        • Internet File.exe
        • Part Hard Disk.exe
        • Shell.exe
        • system.exe
        • system32.exe
        • system64.pif
        • Temp.exe
          (where %WINDIR% is C:\WINDOWS or C:\WINNT)

          It copies itself to the %SYSDIR% directory with the following filenames:
        • Inf.exe
        • net.com
        • www.microsoft.com
          (where %SYSDIR% is C:\WINDOWS\SYSTEM32 or C:\WINNT\SYSTEM32)

          The virus creates the following registry keys to load itself on Windows Startup:

        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          Run "System"=%WINDIR%\system.exe
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          Run\1\2\3\4 "System"=%WinDir%\system.exe
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          RunServices "System"=%WINDIR%\system.exe
        • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
          RunServicesOnce "System"=%WinDir%\temp.exe
        • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
          Run "System"=%WINDIR%\system.exe
        • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
          Run\1\2\3\4 "System"=%WinDir%\temp.exe
        • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
          RunServices "System"=%WINDIR%\commands.com

          The virus also modifies the following registry keys so that the worm is executed every time an associated file extension runs.

        • HKEY_CLASSES_ROOT\exefile "NeverShowExt"=
          (hides the file extension of executables)
        • HKEY_CLASSES_ROOT\batfile\shell\open\command
          "(Default)"="%WinDir%\temp.exe", "%1" %*
        • HKEY_CLASSES_ROOT\comfile\shell\open\command
          "(Default)"="%WinDir%\command.exe", "%1" %*
        • HKEY_CLASSES_ROOT\exefile\shell\open\command
          "(Default)"="%WinDir%\command.exe","%1" %*
        • HKEY_CLASSES_ROOT\htafile\Shell\Open\Command
          "(Default)"="%WinDir%"\commands.com", "%1" %*
        • HKEY_CLASSES_ROOT\piffile\shell\open\command
          "(Default)"="%WinDir%\commands.com","%1" %*

           

          W32/Sobig.e@MM
          June 26, 2003

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4273 (released 6/25/03)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100429.htm

          NAI raised the risk level of this threat to Medium to due increased prevalence over the past few hours. The Stinger tool was updated to detect and remove W32/Sobig.e@MM.

          The virus is a variant of W32/Sobig.d@MM. It propagates via email and over network shares. It has its own SMTP engine for constructing outgoing messages. The virus is sent in a ZIP archive. The outgoing messages may have a closing quote omitted from the attachment filename, which may cause some email clients to remove a character from the remaining filename. For example, attachments may have a ".ZI" extension, instead of ".ZIP".

          Email addresses are extracted from files on the victim machine with the following extensions:

        • WAB
        • DBX
        • HTM
        • HTML
        • EML
        • TXT

          The worm may arrive in email with the following characteristics:

          From: (the from: address is spoofed or forged)
          Body: Please see the attached zip file for details.
          Attachment:  (file extension may be truncated to .ZI) your_details.zip(which contains details.pif)

          The worm tries to copy itself to the following network locations:
        • \Documents and Settings\All Users\Start Menu\Programs\Startup\
        • \Windows\All Users\Start Menu\Programs\Startup\

          When the worm is executed, it drops the following files into the %windir% (default Windows) directory:
        • "winssk32.exe" (approx 85KB) (a copy of itself)
        • "msrrf.dat" (configuration file)

          Registry keys are added to hook system startup:

          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
          "SSK Service" = %WinDir%\winssk32.exe

          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
          "SSK Service" = %WinDir%\winssk32.exe

           

          W32/BugBear.b@MM
          June 5, 2003

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: High
          Minimum VirusScan DAT: 4270 (released 6/5/03)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100358.htm

          The BugBear worm is spreading rapidly throughout the Internet. There are two methods of infection: network shares and email attachments. For network shares, the worm copied itself to the Windows startup folder using a randomly picked name (example of the file name are: BSFS.EXE). The email attachments are disguised as files that the curious person would want to look at. In most cases, the attachment's file name matches the subject line. If you would like to see the most current list of subject lines, please visit the NAI site http://vil.nai.com/vil/content/v_100358.htm. BugBear.b installs a key logger which captures the keystrokes from the infected computer. In addition to the key logger, there is a remote access trojan which will allow the attacker to gain access to the infected computer. The trojan part of the worm opens up TCP port 1080 on the infected computer.

          Symptoms

          • There are reports that infected computers will send print jobs to network printers. It is not clear on what those print jobs look like.
          • There are unknown EXE files in the Windows startup folder.
          • Other people reporting that they received an email with an attachment from you. Please note that if this happens to you. You should update your VirusScan to the specifications above and scan your computer with the all files option on. You might not be the one that was infected because the email could have been sent by any one who has your email address stored in a file on their computer.
          • The antivirus software (VirusScan) does not start up or will not start the updater function.
          • If you have software firewall such as Zone Alarm and it is not working properly, you might be infected.
             

          Please read the full description of BugBear.b for the most current information about this worm and recommendations for clean-up.

           

          W32/Sobig.c@MM
          June 2, 2003

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4268 (released 6/1/03)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100343.htm

          Due to increased prevalence, the risk assessment of this threat was upgraded to Medium.

          A new variant of the W32/Sobig virus was discovered on May 31, 2003. This variant is detected as W32/Sobig.dam in the 4267 DAT (released 5/28/03). However, you will need the 4268 DAT (released 6/1/03) to detect and remove the new variant. This variant spoofs or forges the from: address. Therefore, the perceived sender is not likely the infected user.

          This mass-mailing worm is very similar to http://vil.nai.com/vil/content/v_100307.htm. It propagates via email and over network shares. It has its own SMTP engine for constructing outgoing messages. The outgoing messages may have a closing quote omitted from the attachment filename, which may cause some email clients to remove a character from the remaining filename. For example, attachments may have a ".PI" extension, instead of ".PIF".

          Email addresses are extracted from files on the victim machine with the following extensions:

        • WAB
        • DBX
        • HTM
        • HTML
        • EML
        • TXT

          The worm may arrive in email with the following characteristics:

          From: bill@microsoft.com (note: could be any email address)

          Subject:
        • Approved
        • Re: 45443-343556
        • Re: Application
        • Re: Approved
        • Re: Movie
        • Re: Screensaver
        • Re: Submitted (004756-3463)
        • Re: Your application

          Attachment:  (file extension may be truncated to .PI)
        • 45443.pif
        • application.pif
        • approved.pif
        • document.pif
        • documents.pif
        • movie.pif
        • screensaver.scr
        • submited.pif

          Message Body:   Please see the attached file.

          The worm tries to copy itself to the following network locations if the paths are accessible:
        • \Documents and Settings\All Users\Start Menu\Programs\Startup\
        • \Windows\All Users\Start Menu\Programs\Startup\

          When the worm is executed, it drops the following files into the %windir% (default Windows) directory:
        • "mscvb32.exe" (approx 50kB) (a copy of itself)
        • "msddr.dat" (configuration file)

          Registry keys are added to hook system startup:

          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
          "System MScvb" = %WinDir%\mscvb32.exe

          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
          "System MScvb" = %WinDir%\mscvb32.exe

          The worm checks the system date/time. If the date matches June 8, 2003 (or later), the worm no longer propagates. However, it installs itself on the target machines.

           

          W32/Sobig.b@MM
          (alias W32/Palyh@MM)
          May 19, 2003
          (revised May 22, 2003)

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4265 (released 5/18/03)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100307.htm

          Starting from the 4266 DAT (released 5/21/03), NAI renamed this virus from W32/Palyh@MM to http://vil.nai.com/vil/content/v_100307.htm in order to correctly identify it as a new variant of W32/Sobig@MM.

          This mass-mailing worm is very similar to http://vil.nai.com/vil/content/v_99950.htm. It propagates via email and over network shares. It has its own SMTP engine for constructing outgoing messages. The outgoing messages may have a closing quote omitted from the attachment filename, which may cause some email clients to remove a character from the remaining filename. For example, attachments may have a ".PI" extension, instead of ".PIF".

          Email addresses are extracted from files on the victim machine with the following extensions:

        • WAB
        • DBX
        • HTM
        • HTML
        • EML
        • TXT

          The worm may arrive in email with the following characteristics:

          From: support@microsoft.com

          Subject:
        • Re: My application
        • Re: Movie
        • Cool screensaver
        • Screensavers
        • Re: My details
        • Your password
        • Re: Approved (Ref: 3394-65467)
        • Approved (Ref: 38446-263)
        • Your details

          Attachment:  (file extension may be truncated to .PI)
        • approved.pif
        • ref-394755.pif
        • password.pif
        • ref-394755.pif
        • application.pif
        • screen_doc.pif
        • screen_temp.pif
        • movie28.pif
        • download1053122425102485703.uue
        • doc_details.pif
        • _approved.pif

          Message Body:   All information is in the attached file.

          The worm tries to copy itself to the following network locations:
        • \Documents and Settings\All Users\Start Menu\Programs\Startup\
        • \Windows\All Users\Start Menu\Programs\Startup\

          When the worm is executed, it drops the following files into the %windir% (default Windows) directory:
        • "msccn32.exe" (approx 50kB) (a copy of itself)
        • "hnks.ini" (configuration file)
        • "mdbrr.ini" (configuration file)

          Registry keys are added to hook system startup:

          HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
          "System Tray" = %WinDir%\msccn32.exe

          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
          "System Tray" = %WinDir%\msccn32.exe

          The worm checks the system date/time. If the date matches May 31, 2003 (or later), the worm no longer propagates. However, it installs itself on the target machines.

           

          W32/Fizzer@MM
          May 12, 2003

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: Medium on Watch
          Minimum VirusScan DAT: 4263 (released 5/12/03)
          Minimum VirusScan scan engine: 4160 (to detect); 4240 (to remove)
          For more information: http://vil.nai.com/vil/content/v_100295.htm

          This mass-mailing worm has many components and an internal timer to trigger different processes at different times.

          It spreads via KaZaa and email, by mass-mailing itself to addresses found in the Microsoft Outlook Contacts list, Windows Address Book (WAB), and on the local system, and randomly generated addresses, sometimes forging the sender address. The worm arrives as an email attachment (various file names with .com, .exe, .pif, .scr extensions) with various subject lines and body text. It has its own SMTP engine.

          Other components of the worm include:

        • IRC (Internet Relay Chat) bot
             - when it connects to an IRC server, it opens a channel and awaits instructions from the attacker
        • AIM (AOL Instant Messenger) bot
              - it connects to an AIM chat server on port 5190 and listens for further instructions
        • Keylogger
              - captures types keystrokes and stores them in iservc.klg (encrypted file in Windows directory)
        • KaZaa worm
              - copies itself to the default KaZaa download directory using random file names
        • HTTP server
              - runs HTTP server of port 81, displaying information on the infected system.
        • Remote access server
              - listens on port 2018, 2019, 2020, and 2021
        • Self-updating mechanism
              - connects to geocities user page to download updates
        • Anti-virus software termination

          When the attachment is executed, the worm extracts several files to the Windows (%WinDir%) directory.
        • initbak.dat - copy of the worm
        • iservc.exe - copy of the worm
        • ProgOp.exe (15,360 bytes) - process handling
        • iservc.dll (7,680 bytes) - handles timing and Windows hooking/keylogging

          It modifies the handling of .TXT files, such that accessing a .TXT file results in the worm being run.

          On WinNT/2K/XP systems, the worm creates a service named S1TRACE.

           

          W32/Lovgate@M
          Feb. 24, 2003

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: Medium on Watch
          Minimum VirusScan DAT: 4248 (released 2/19/03)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_100072.htm

          NAI has received samples of another variant of this worm, 78,848 bytes in length. You will need DAT 4249 (released 2/24/03) to detect the variant, W32/Lovgat.c@M.

          This mass-mailing worm spreads via email by auto-replying to all new messages found in the Outlook and Outlook Express inbox using its own SMTP engine. It also attaches itself as one of the files listed below and copies itself over network shares. It also drops a backdoor component, opening port 10168 on victim computers.

          The worm auto-replies:

          'I'll try to to reply as soon as possible.
          Take a look at the attachment and send me your opinion!'

          >Get your Free 'domain.com' account now! <

          The worm propagates itself through open network shares, copying itself recursively to folders/subfolders, using the following filenames:

        • fun.exe
        • images.exe
        • news_doc.exe
        • s3msong.exe
        • pics.exe
        • billgt.exe
        • midsong.exe
        • PsPGame.exe
        • hamster.exe
        • setup.exe
        • tamagotxi.exe
        • joke.exe
        • docs.exe
        • searchurl.exe
        • card.exe
        • humor.exe

          When executed, the worm copies itself to the %System% folder as:
        • WinGate.exe
        • rpcsrv.exe
        • syshelp.exe
        • winrpc.exe
        • WinRpcsrv.exe

          The worm drops a trojan component in the %System% directory with the following names:
        • ily.dll
        • 1.dll
        • reg.dll
        • task.dll

          The backdoor trojan opens port 10168 on the computer and sends email notification to the hacker that the computer has been compromised. Information about the infected computer, including system password, is also sent to the hacker.

          The following Registry keys are added to hook system startup:

               HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
               "syshelp" = C:\Windows\System\syshelp.exe

               HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
               "WinGate initialize" = C:\Windows\System\WinGate.exe -remoteshell

          A system startup hook is also added for the backdoor component:

               HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
               "Module Call initialize" = RUNDLL32.EXE reg.dll ondll_reg

          The following Registry key is modified to hook the execution of text files:

               HKEY_CLASSES_ROOT\txtfile\shell\open\command
               (default) = "winrpc.exe %1"

          When executed on Windows NT/2000, the worm installs itself as a service, with display name "Window Remote Service" (runs copy of worm with filename WINRPCSRV.EXE). One of the dropped backdoor components (TASK.DLL) also installs as two services with display names "dll_reg" and "Windows Management Extension".

           

          W32/SQLSlammer.worm
          Jan. 27, 2003

          Platform: Windows NT/2000 Server running MS SQL Server 2000/MS Desktop Engine 2000
          Risk Assessment: HIGH
          Minimum VirusScan DAT: Stinger removal tool
          Minimum VirusScan scan engine: N/A
          For more information: http://vil.nai.com/vil/content/v_99992.htm

          This threat has been rated HIGH only for unpatched systems (SQL servers not running SP3 for MS SQL/MSDE):

        • Microsoft SQL Server 2000
        • Microsoft Desktop Engine MSDE) 2000

          For a complete list of patches that must be applied to SQL Servers that are not running SP3, go to Microsoft Technet. The worm uses a buffer overflow in "Server Resolution" service (see MS02-039)to gain control on a target server. SQL Servers running Service Pack 3 are not affected. Download SQL Server 2000 Service Pack 3.

          This virus exists only in memory of unpatched Microsoft SQL servers. This worm does not exist as a file on your system. No INI or registry keys are created by this worm. Its only purpose is to spread from one system to another and it does not carry a destructive payload.

          This worm causes increased traffic on UDP port 1434 and spreads between SQL servers. It causes heavy network traffic and can effect network performance on all systems on the network.

          Removal Instructions

        • Block Incoming UDP port 1434 at your firewall (also turn off logging on that port)
        • Download and apply Service Pack 3 from Microsoft and restart the server.

          This will clear the worm from memory and prevent reinfection. The corrected SSNETLIB.DDL will have version 2000.80.760.0 (right click on the DLL icon, select Properties, click Version tab.)

          NAI has a new version of the Stinger removal tool that is designed to locate the worm in memory on infected SQL servers and shut down the SQL processes. Stinger must be run with Administrator privileges to shut down SQL Server. Stinger will not prevent future reinfections, unless you install Service Pack 3.

           

          W32/Sobig@MM
          Jan. 14, 2003

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4242 (released 1/11/03)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_99950.htm

          Jan. 11, 2003 - NAI has raised the risk level of this threat to Medium due to increasing prevalence. Please update your DAT file to 4242 as soon as possible.

          This mass-mailing worm sends itself to all addresses it finds in files with extensions .wab, .dbx, .htm, .html, .eml, and .txt using its own SMTP engine. It also attempts to copy itself to open network shares:

        • \Windows\All Users\Start Menu\Programs\Startup
        • Documents and Settings\All Users\Start Menu\Programs\Startup

          The outgoing email messages are from "big@boss.com" with the following possible subject lines:

        • Re: Movies
        • Re: Sample
        • Re: Document
        • Re: Here is that sample

          Attachments (65,536 bytes) have one of the following filenames:

        • Movie_0074.mpeg.pif
        • Document003.pif
        • Untitled1.pif
        • Sample.pif

          The worm installs itself into the Windows directory as WINMGM32.EXE and adds two registry hooks to start the program on startup:

                    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
                    "WindowsMGM" = C:\WINDOWS\winmgm32.exe

                    HKEY_LOCAL_MACHINE\Software\Windows\CurrentVersion\Run
                    "WindowsMGM" = C:\WINDOWS\winmgm32.exe

          The worm may contain a multidropper package which drops a pornographic image (which is displayed) and the worm.

           

          W32/Lirva.a@MM
          Jan. 9, 2003

          Platform: Windows 95/98/ME/NT/2000/XP
          Risk Assessment: Medium
          Minimum VirusScan DAT: 4241 (released 1/8/03)
          Minimum VirusScan scan engine: 4160
          For more information: http://vil.nai.com/vil/content/v_99949.htm

          Jan. 9, 2003 - NAI has raised the risk level of this threat to Medium due to increasing prevalence. Please update your DAT file to 4241 (or higher) as soon as possible. Get the McAfee Livra Removal Tool (Stinger.exe v1.2 [625,152 bytes, 1/8/03]) if you have been infected with this virus.

          This mass-mailing worm also attempts to spread via ICQ, IRC, and KaZaa. It contains a Password-Stealer payload. It tries to terminate anti-virus, firewall and security software and drops an IRC bot script.

          The worm uses Outlook to gather email addresses in the "Sent Items" and "Inbox". It also queries the Windows Address Book and searches for addresses within files on the local disk with the following extensions:

        • .DBX
        • .EML
        • .HTM
        • .HTML
        • .IDX
        • .MBX
        • .NCH
        • .SHTML
        • .TBB
        • .WAB

          Possible message subject lines include the following:

        • Fw: Avril Lavigne - the best
        • Fw: Prohibited customers...
        • Fwd: Re: Admission procedure
        • Fwd: Re: Reply on account for Incorrect MIME-header
        • Re: According to Daos Summit
        • Re: ACTR/ACCELS Transciptions
        • Re: Brigade Ocho Free membership
        • Re: Reply on account for IFRAME-Security breach
        • RE: Reply on account for IIS-Security
        • Re: The real estate plunger

          The attachment is one of the following:

        • AvrilLavigne.exe
        • AvrilSmiles.exe
        • CERT-Vuln-Info.exe
        • Cogito_Ergo_Sum.exe
        • Complicated.exe
        • Download.exe
        • IAmWiThYoU.exe
        • MSO-Patch-0035.exe
        • MSO-Patch-0071.exe
        • Readme.exe
        • Resume.exe
        • Singles.exe
        • Sk8erBoi.exe
        • Sophos.exe
        • Transcripts.exe
        • Two-Up-Secretly.exe

          The message body is variable and may contain one of the following:

          Restricted area response team (RART)
          ___________________________________
          Attachment you send to is intended to overwrite start address at 0000:HH4F
          To prevent from the further buffer overflow attacks apply the MSO-patch.
          ___________________________________

          or

          Patch is also provided to subscribed list of Microsoft Tech Support: to apply the patch immediately. Microsoft strongly urges all customers using IIS 4.0 and 5.0 who have not already done so and do not need to take additional action. Customers who have applied that patch are already protected against the vulnerability that is eliminated by a previously-released patch. Microsoft has identified a security vulnerability in Microsoft IIS 4.0 and 5.0.

          or

          Admission form attached below. Vote for I'm with you! FanList admits you to take in Avril Lavigne 2003 Billboard awards ceremony Avril fans subscription

          The worm attempts to terminate anti-virus, firewall, and security processes running in memory. It monitors the titlebar of all windows and closes them if they contain one of the following strings:

        • anti
        • Anti
        • AVP
        • McAfee
        • Norton
        • virus
        • Virus

          The worm copies itselft into the %WinDIR%\SYSTEM32 directory using a randomly generated name, e.g. A33AAAAgbab.EXE. A key is added to the registry to execute the worm during system boot:

                    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run "Avril Lavigne - Muse" =
                    C:\WINDOWS\SYSTEM32\A33AAAAgbab.EXE (random name)

          Another key is created and used as a marker that the system is infected:

                    HKEY_LOCAL_MACHINE\Software\HKLM\Software\OvG\Avril Lavingne

          It also copies itself using one of the filenames of the attachment mentioned in the email propagation to c:\ and %WINDIR%\TEMP.
          The worm places four copies of itself using random names into the RECYCLED folder and adds a call to itself in AUTOEXEC.BAT.

          The worm tries to receive cached passwords from the infected host and sends an email by using its own SMTP engine via an open SMTP server (62.118.249.10 port 25 tcp).

          After the worm executes, it opens the default web browser to the Avril Lavigne web site (http://www.avril-lavigne.com) and draws colored geometric figures on the screen which are always "on top" of the desktop.

           

          back to top